GnuTLS session resumption exploit
der.hans
PLUGd at LuftHans.com
Tue Jun 9 20:07:59 MST 2020
Am 10. Jun, 2020 schwätzte Seabass via PLUG-discuss so:
moin moin,
> What exactly is gnutls used for?
> Web servers, or do general users actually use this for TLS connections?
> Or something else?
I don't know, but I believe it's in the same category as OpenSSL, so could
be anything that wants to use TLS.
debian reverse depends shows 354 packages.
$ apt-cache rdepends libgnutls30 | grep -vc ^lib
354
$
$ apt-cache rdepends libgnutls30 | grep -Evc '^ lib'
258
$
$ apt-cache rdepends libgnutls30 | grep -Ev '^ lib' | awk -F- '{print $1 }' | sort -u | wc
141 142 1337
$
Here are some from that list:
telepathy, weechat, vlc, wget, rsyslog, abiword, cups, emacs
ciao,
der.hans
>> moin moin,
>>
>> GnuTLS sessions can be resumed, allowing man in the middle attacks
>>
>> get yer updates
>>
>> https://gitlab.com/gnutls/gnutls/-/issues/1011
>>
>> ciao,
>>
>> der.hans
--
# https://www.LuftHans.com https://www.PhxLinux.org
# "Arguing that you don't care about the right to privacy because you have
# nothing to hide is no different than saying you don't care about
# free speech because you have nothing to say." -- Edward Snowden
More information about the PLUG-discuss
mailing list