This GnuTLS bug is worse than the big Apple "goto fail" bug patched last week.
Bruce Schneier was asking the other day whether the Apple bug might be a deliberate backdoor. This GnuTLS bug seems startlingly similar. It's enough to make you wonder. https://www.schneier.com/blog/archives/2014/02/was_the_ios_ssl.html
If anything this rules out the backdoor as intentional. No way people involved in *nix would intentionally build this sort of thing in; however it is absolutely boggling that with how closely everything is inspected here, it's gone unseen since 2003/5
I see a patch pushed out today. But that this was undiscovered since 2005 is outrageous. Edit: Possibly 2003. http://www.reddit.com/r/netsec/comments/1zhjwh/certificate_verification_vulnerability_in_all/