Bug#541439: CVE-2009-2730: does not properly handle a '\0' character
Giuseppe Iuculano
giuseppe at iuculano.it
Fri Aug 14 08:39:08 UTC 2009
Package: gnutls26
Severity: serious
Tags: security
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for gnutls26.
CVE-2009-2730[0]:
| libgnutls in GnuTLS before 2.8.2 does not properly handle a '\0'
| character in a domain name in the subject's (1) Common Name (CN) or
| (2) Subject Alternative Name (SAN) field of an X.509 certificate,
| which allows man-in-the-middle attackers to spoof arbitrary SSL
| servers via a crafted certificate issued by a legitimate Certification
| Authority.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
Could you check if gnutls13 is affected please?
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2730
http://security-tracker.debian.net/tracker/CVE-2009-2730
Cheers,
Giuseppe.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkqFIqkACgkQNxpp46476aoZcgCfdLyZVjvkaqi7aETk/La0YfwG
yg4Anj98j4y2XQkLkmgD+1kFY1xgyRf9
=+CWA
-----END PGP SIGNATURE-----
More information about the Pkg-gnutls-maint
mailing list