Bug#505360: libgnutls26: CVE-2008-4989 security flaw in certificate chain verification
Andreas Metzler
ametzler at downhill.at.eu.org
Wed Nov 12 18:00:24 UTC 2008
# On 2008-11-11 Michael Gilbert <michael.s.gilbert at gmail.com> wrote:
# > Package: libgnutls26
# > Version: 2.4.2-2
# > Severity: grave
# > Tags: security
# > Justification: user security hole
#
# > redhat has just released an update that fixes a security flaw in gnutls [1].
# > the CVE page [2] indicates that the issue is currently reserved, but redhat
# > describes the problem as:
#
# > Martin von Gagern discovered a flaw in the way GnuTLS verified certificate
# > chains provided by a server. A malicious server could use this flaw to
# > spoof its identity by tricking client applications using the GnuTLS library
# > to trust invalid certificates. (CVE-2008-4989)
#
# > redhat describes this as a "moderate severity" issue, so i assume that this
# > should be tracked as medium-urgency in debian.
#
# > it is not clear which versions are affected. the redhat updates are only
# > for their enterprise (rhel 5) version, which is gnutls 1.4.1.
#
# > [1] https://rhn.redhat.com/errata/RHSA-2008-0982.html
# > [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4989
# Bug applies to every gnutls26 upload, mark it as found in first
# upload to unstable.
found 505360 2.2.1-2
# This bug is already fixed in the version you reported the bug
# against.
notfound 505360 2.4.2-2
clone 505360 -1
close 505360 2.4.2-2
# Bug also applies to gnutls13
reassign -1 libgnutls13
found -1 1.4.4-3
thanks
cu andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
More information about the Pkg-gnutls-maint
mailing list