GNUTLS 3.1.x/3.2.x Denial of service

2013.10.25

Credit: Marcus

Risk: Medium

Local: No

Remote: Yes

CVE: CVE-2013-4466

CWE: N/A

CVSS Base Score: 5/10

Impact Subscore: 2.9/10

Exploitability Subscore: 10/10

Exploit range: Remote

Attack complexity: Low

Authentication: No required

Confidentiality impact: None

Integrity impact: None

Availability impact: Partial

GNUTLS just posted a security adivsory which needs a CVE:

http://www.gnutls.org/security.html#GNUTLS-SA-2013-3 
GNUTLS-SA-2013-3 Denial of service This vulnerability affects the
DANE library of gnutls 3.1.x and gnutls 3.2.x. A server that
returns more 4 DANE entries could corrupt the memory of a
requesting client.  Recommendation: Upgrade to the latest gnutls 
version (3.1.15 or 3.2.5)

Commit for 3.1: 
https://gitorious.org/gnutls/gnutls/commit/916deedf41604270ac398314809e8377476433db

 Commit for 3.2: 
https://gitorious.org/gnutls/gnutls/commit/ed51e5e53cfbab3103d6b7b85b7ba4515e4f30c3

 Ciao, Marcus

References:

https://gitorious.org/gnutls/gnutls/commit/916deedf41604270ac398314809e8377476433db

https://gitorious.org/gnutls/gnutls/commit/ed51e5e53cfbab3103d6b7b85b7ba4515e4f30c3

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

GNUTLS 3.1.x/3.2.x Denial of service

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.