Michael Ströder wrote:
Howard Chu wrote:
http://arstechnica.com/security/2014/03/critical-crypto-bug-leaves-linux-hun...
Perhaps folks will take us more seriously the next time we say "don't use GnuTLS" ... http://www.openldap.org/lists/openldap-devel/200802/msg00072.html
While I personally also prefer OpenSSL over GnUTLS it's not fair to blame developers if they publish a security issue themselves.
This issue was found by a RedHat audit, not by the GnuTLS developers.
The same underlying problem remains - the GnuTLS developers didn't know the first thing about X.509 certificates. They pointedly ignored (or were simply too inexperienced to even understand) the issues that were identified. And apparently, they still haven't learned, after all this time.
One never knows which issues are in other preferred software packages which the developers are not honest enough to talk about.
Ciao, Michael.