H GnuTLS is a widely used SSL/TLS cryptography library, It is open source and has been found to be vulnerable to a vulnerability buffer overflow που θα μπορούσε να γίνει exploited για να κρασάρει τα TLS clients ή ενδεχομένως για να εκτελεστεί maliciousς κώδικας στα συστήματα που εκτελείται.
The GnuTLS library implements the secure sockets layer (SSL) and transport layer security (TLS) protocols on computers, servers, to provide encrypted communication over non-secure channels.
The bug CVE-2014-3466, discovered by Joonas Kuorilehto of security firm Codenomicon, the same security company that discovered the biggest vulnerability of the Internet, Heartbleed. Unlike Heartbleed, the GnuTLS library is not as widespread as OpenSSL.
The vulnerability of GnuTLS lies in the way that GnuTLS analyzes the period ID from the server response at the beginning of a TLS communication. It does not control the length of the session ID in the ServerHello message, and allows a malicious server to send an excessively long value in order to overrun the buffer or buffer overflow.
Red Hat has already analyzed the vulnerability and has released a patch. For more technical details read here.
