We are using using 3.3.11, latest is 3.3.15 / 3.4.1.
Latest available GnuTLS with ABI 3.0.0 is v3.3.17 and we currently have GnuTLS v3.3.11.
Here follows information about security issues fixed if we upgrade to 3.3.17.
Double free in CRL distribution points decoding of a certificate
Robert Święcki reported that decoding a specially crafted certificate with certain CRL distribution points format can lead to a double free.
This issue was fixed in GnuTLS 3.3.14.
Recommendation: Upgrade to GnuTLS 3.3.14, or later versions.
Double free in certificate DN decoding
Kurt Roeckx reported that decoding a specific certificate with very long DistinguishedName (DN) entries leads to double free, which may result to a denial of service. Since the DN decoding occurs in almost all applications using certificates it is recommended to upgrade the latest GnuTLS version fixing the issue.
Recommendation: Upgrade to GnuTLS 3.4.4, or 3.3.17.
ServerKeyExchange signature issue
Karthikeyan Bhargavan reported that a ServerKeyExchange signature sent by the server is not verified to be in the acceptable by the client set of algorithms. That has the effect of allowing MD5 signatures (which are disabled by default) in the ServerKeyExchange message. It is not believed that this bug can be exploited because a fraudulent signature has to be generated in real-time which is not known to be possible. However, since attacks can only get better it is recommended to update to a GnuTLS version which addresses the issue.
Recommendation: Upgrade to GnuTLS 3.4.1, or 3.3.15.
Neither of the mentioned security advisors affects ThinLinc, which makes this bug a non blocker for ThinLinc v4.5.0.
All done. Work done at the same time as bug 5540, so time is reported there.
Tested tlstunnel and certificate parsing.
Works fine. Tested the HTML5 client and Smart Card authentication on fedora 23, ThinLinc build 4985.