[MacPorts] #43865: gnutls 3.3.3

Sun Jun 1 08:48:14 PDT 2014

#43865: gnutls 3.3.3
----------------------------+--------------------------------
 Reporter:  mschamschula@…  |      Owner:  macports-tickets@…
     Type:  update          |     Status:  new
 Priority:  Normal          |  Milestone:
Component:  ports           |    Version:  2.3.0
 Keywords:                  |       Port:  gnutls
----------------------------+--------------------------------
 gnutls has been updated to address CVE-2014-3466:

 {{{
 A flaw was found in the way GnuTLS parsed session ids from Server Hello
 packets of the TLS/SSL handshake.  A malicious server could use this flaw
 to send an excessively long session id value and trigger a buffer overflow
 in a connecting TLS/SSL client using GnuTLS, causing it to crash or,
 possibly, execute arbitrary code.

 The flaw is in read_server_hello() / _gnutls_read_server_hello(), where
 session_id_len is checked to not exceed incoming packet size, but not
 checked to ensure it does not exceed maximum session id length:
 https://www.gitorious.org/gnutls/gnutls/source/8d7d6c6:lib/gnutls_handshake.c#L1747
 }}}

 MacPorts still is using the outdated 3.1.x branch. I've updated gnutls to
 the current stable 3.3.x. branch.

-- 
Ticket URL: <https://trac.macports.org/ticket/43865>
MacPorts <http://www.macports.org/>
Ports system for OS X