Security firm Codenomicon has found a new Secure Sockets Layer (SSL) flaw in the GnuTLS open-source cryptographic library. Codenomicon rose to notoriety in April as the security firm that found and branded the Heartbleed flaw in the open-source OpenSSL cryptographic library.
GnuTLS is not as widely deployed as OpenSSL, but it is part of many leading Linux distributions, including Red Hat.
“A flaw was found in the way GnuTLS parsed session IDs from Server Hello packets of the TLS/SSL [Transport Layer Security/Secure Sockets Layer} handshake,” Red Hat warns in a security advisory. “A malicious server could use this flaw to send an excessively long session ID value and trigger a buffer overflow in a connecting TLS/SSL client using GnuTLS, causing it to crash or, possibly, execute arbitrary code.”