Bug#505360: libgnutls26: CVE-2008-4989 security flaw in certificate chain verification
Michael Gilbert
michael.s.gilbert at gmail.com
Tue Nov 11 20:55:13 UTC 2008
Package: libgnutls26
Version: 2.4.2-2
Severity: grave
Tags: security
Justification: user security hole
redhat has just released an update that fixes a security flaw in gnutls [1].
the CVE page [2] indicates that the issue is currently reserved, but redhat
describes the problem as:
Martin von Gagern discovered a flaw in the way GnuTLS verified certificate
chains provided by a server. A malicious server could use this flaw to
spoof its identity by tricking client applications using the GnuTLS library
to trust invalid certificates. (CVE-2008-4989)
redhat describes this as a "moderate severity" issue, so i assume that this
should be tracked as medium-urgency in debian.
it is not clear which versions are affected. the redhat updates are only
for their enterprise (rhel 5) version, which is gnutls 1.4.1.
[1] https://rhn.redhat.com/errata/RHSA-2008-0982.html
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4989
More information about the Pkg-gnutls-maint
mailing list