blob: de8dcc60d248cdf7313967663bc401414380313c (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
|
<td><a href="http://seclists.org/oss-sec/2015/q3/374">
No CVE assigned</a>
</td>
<td>ServerKeyExchange signature issue</td>
<td><a
href="http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/8132">Karthikeyan Bhargavan
reported</a> that a ServerKeyExchange signature
sent by the server is not verified to be in the acceptable by the client
set of algorithms. That has the effect of allowing MD5 signatures
(which are disabled by default) in the ServerKeyExchange message. It is not believed that this bug can
be exploited because a fraudulent signature has to be generated in real-time which is not
known to be possible. However, since attacks can only get better it is
recommended to update to a GnuTLS version which addresses the issue.<br>
<b>Recommendation:</b> Upgrade to GnuTLS 3.4.1, or 3.3.15.</td>
|