4

Right now the internet is abuzz with news about a severe breach in GnuTLS.

An update to the relevant GnuTLS packages has already been released. But I am worried whether some packages might have had GnuTLS compiled directly into them, instead of dynamically linking to them.

Would like to know the likelihood of this- If any of you are aware of any such packages, please share them.

Improve this question
3
  • Hi nedR - while this question is about security, I feel you may get better answers on AskUbuntu - do you want me to migrate this question over for you?
    – Rory Alsop
    Commented Mar 5, 2014 at 11:19
  • @RoryAlsop: Thanks for asking before moderating :) I considered this too.. but I thought that the IT Security group were in a better position to answer this question than AskUbuntu. If you feel this really belongs in AskUbuntu, please migrate it. Thanks again.
    – nedR
    Commented Mar 5, 2014 at 11:24
  • I'll ask some of the regulars in Information Security Chat - I just have a feeling that you'll need folks with the wider view of Ubuntu packages. Lemme check and get back to you shortly.
    – Rory Alsop
    Commented Mar 5, 2014 at 11:26

2 Answers 2

Reset to default
1

According to Canonical's CVE tracker gnutls26 package is totally patched, while gnutls28 on Precise (12.04) and Saucy (13.10) are still affected, and others versions are not affected. There aren't any bugs related to fix these versions in Launchpad either, so, unless your are using 12.04 or 13.10 is safe to say that you are not affected by this bug.

Improve this answer
-1

nedR, after viewing the GnuTLS site, I found that any versions prior to version 3.2.12 or 3.2.22 are still vulnerable. The Ubuntu packages using GnuTLS 28 are mostly still affected. That is, packages 12.04, 12.10, 13.10, and 14.04. Glad to be of assistance!

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .