#43865: gnutls 3.3.3 ----------------------------+-------------------------------- Reporter: mschamschula@… | Owner: macports-tickets@… Type: update | Status: new Priority: Normal | Milestone: Component: ports | Version: 2.3.0 Keywords: | Port: gnutls ----------------------------+-------------------------------- gnutls has been updated to address CVE-2014-3466: {{{ A flaw was found in the way GnuTLS parsed session ids from Server Hello packets of the TLS/SSL handshake. A malicious server could use this flaw to send an excessively long session id value and trigger a buffer overflow in a connecting TLS/SSL client using GnuTLS, causing it to crash or, possibly, execute arbitrary code. The flaw is in read_server_hello() / _gnutls_read_server_hello(), where session_id_len is checked to not exceed incoming packet size, but not checked to ensure it does not exceed maximum session id length: https://www.gitorious.org/gnutls/gnutls/source/8d7d6c6:lib/gnutls_handshake.... }}} MacPorts still is using the outdated 3.1.x branch. I've updated gnutls to the current stable 3.3.x. branch. -- Ticket URL: <https://trac.macports.org/ticket/43865> MacPorts <http://www.macports.org/> Ports system for OS X