H GnuTLS είναι μια ευρέως χρησιμοποιούμενη βιβλιοθήκη κρυπτογραφίας της SSL / TLS, Είναι open source και βρέθηκε να είναι ευάλωτη σε μια vulnerability buffer overflow that could be exploited to crash TLS clients or potentially execute malicious code on running systems.
The GnuTLS library is applied to secure sockets layer (SSL) and transport layer security (TLS) on computers, servers to provide encrypted communication over unsecure channels.
The bug CVE-2014-3466, discovered by Joonas Kuorilehto of security firm Codenomicon, the same security firm that discovered the Internet's biggest vulnerability, Heartbleed. Unlike Heartbleed, the GnuTLS library is not as widely used as OpenSSL.
The GnuTLS vulnerability lies in the way GnuTLS parses the session ID from the response from the server at the start of a TLS communication. It does not control its length Session ID in the ServerHello message, and allows a malicious server to send an excessively long value in order to perform a buffer overflow.
Red Hat has already analyzed the vulnerability and has released a patch. For more technical details read here.
