libgnutls28 appears to not have been updated for CVE-2014-3466 in Trusty
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
gnutls28 (Ubuntu) |
Fix Released
|
Critical
|
Unassigned | ||
Bug Description
Hi,
Although you've pushed out a patch for CVE-2014-3466 to libgnutls26 in the current stable LTS Ubuntu release (Trusty) you've not pushed out a corresponding patch for libgnutls28 (which is used by some packages).
Looking at the apt-cache policy output:
$ apt-cache policy libgnutls28
libgnutls28:
Installed: 3.2.11-2ubuntu1
Candidate: 3.2.11-2ubuntu1
Version table:
*** 3.2.11-2ubuntu1 0
500 http://
100 /var/lib/
This would look like a vulnerable version according to the CVE report (also launchpad shows this package as not having been updated since the 5th of March).
http://
Can you please push out this patch asap, especially given that the vulnerability has been widely publicised in the media as of yesterday?
Thanks,
Dr Owain Kenway
CVE References
tags: | added: trusty |
Changed in gnutls28 (Ubuntu): | |
status: | Confirmed → Triaged |
tags: | added: amd64 |
Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https:/ /wiki.ubuntu. com/SecurityTea m/UpdateProcedu res