Earlier this week, a new security vulnerability was discovered in the GnuTLS SSL/TLS library.
The vulnerability, indexed as CVE-2014-0092 or GNUTLS-SA-2014-2, affects the code responsible for verification of X.509 certificates and could potentially allow eavesdropping of encrypted network traffic.
The good news for linux users and system administrators is that the problem has been resolved in GnuTLS version 3.2.12.
Fixes are already available for most enterprise and desktop linux distributions, and patches have been published in the version 2.12.x git tree.
However, as both Ars Technica and Tom’s Guide have suggested, the vulnerability might affect more than just linux servers and workstations.
As a matter of fact, any application or appliance relying on a pre-3.2.12 version of GnuTLS is vulnerable and will require an update..
Here’s a collection of related advisories for linux distributions: