GNUTLS-SA-2014-2
In a nutshell: nothing really uses it in VyOS so we think it’s not enough to trigger maintenance release.
http://www.gnutls.org/security.html#GNUTLS-SA-2014-2 is the thing everyone is now talking about, so I probably shouldn’t keep silence too.
From what we could find, the only things in VyOS that use GnuTLS are SSMTP and apt-transport-https.
SSMTP is a mail transport agent that’s installed for dependencies and isn’t actually uses by anything. APT doesn’t rely on transport confidentiality and authenticity and uses digital signatures instead. Also, no known exploits exist, so we think this is low risk in our case.
We will update it for the next release anyway, but we don’t think it’s enough to trigger a maintenance release. Let me know if I missed anything and you think otherwise.
Comments