Just little over three months after GNUTLS-SA-2014-2, a week ago, GNUTLS-SA-2014-3 (CVE-2014-3466) surfaced up to many distributions’ discussion boards, bug trackers, etc. Few days after I was aware of this new advisory, another new one for OpenSSL, which was just patched two months ago for Heartbleed.

For Gentoo, a bug report was created for tracking this security issue—which you don’t not want to be greeted by it—now the patch for 2.12.x finally in Portage Tree and is stabilized. Basically, you will need to update:

  • 2.12.x to the patched version, on Gentoo, it’s net-libs/gnutls-2.12.23-r6
  • 3.1.x to 3.1.23
  • 3.2.x to 3.2.15
  • 3.3.x to 3.3.4

I got to know this issue via a forum post, which links to a technical analysis, I have no idea what it’s saying and only be amazed to see those beautifully colored disassembly code. All I know is to update my GnuTLS as soon as possible and I would be fine, and its conclusion tells us the most important thing is:

Now, stop reading and upgrade your GnuTLS!

—pancake

The frequency of security issues is really high, yes, it might be annoying at this once-a-month rate, but it’s better to have a hundred of fixes than not knowing there is a security issue in the softwares you use or having an issue only be patched after one hundred days.