New SSL Bug

[garyc]

This time in GnuTLS. Not as big as the last one but worth taking note of.

"A flaw was found in the way GnuTLS parsed session IDs from Server Hello packets of the TLS/SSL [Transport Layer Security/Secure Sockets Layer} handshake," Red Hat warns in a security advisory. "A malicious server could use this flaw to send an excessively long session ID value and trigger a buffer overflow in a connecting TLS/SSL client using GnuTLS, causing it to crash or, possibly, execute arbitrary code."

more ...

http://www.eweek.com/security/security-researchers-discover-new-ssl-flaw.html