CVE-2017-7507

Published: 09 June 2017

GnuTLS version 3.5.12 and earlier is vulnerable to a NULL pointer dereference while decoding a status response TLS extension with valid contents. This could lead to a crash of the GnuTLS server application.

Priority

Medium

CVSS 3 base score: 7.5

Status

Package Release Status
gnutls26
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Not vulnerable
(code not present)
gnutls28
Launchpad, Ubuntu, Debian
Upstream
Released (3.5.13,3.5.8-6)
Ubuntu 18.04 LTS (Bionic Beaver)
Released (3.5.8-6ubuntu1)
Ubuntu 16.04 ESM (Xenial Xerus)
Released (3.4.10-4ubuntu1.3)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was needed)
Patches:
Upstream: https://gitlab.com/gnutls/gnutls/commit/4c4d35264fada08b6536425c051fb8e0b05ee86b
Upstream: https://gitlab.com/gnutls/gnutls/commit/3efb6c5fd0e3822ec11879d5bcbea0e8d322cd03
Upstream: https://gitlab.com/gnutls/gnutls/commit/e1d6c59a7b0392fb3b8b75035614084a53e2c8c9
Upstream: https://gitlab.com/gnutls/gnutls/commit/9d95c912b5843e664c8210887a6719f02a9028be (3.3)
Upstream: https://gitlab.com/gnutls/gnutls/commit/023a20d21b762918d3e1ab25a207ecf874ba21a9 (3.3)
Upstream: https://gitlab.com/gnutls/gnutls/commit/3ade67eb6859a5a074f981480e5663ea92a59380 (3.3)