Bug#514807: Regression in libgnutls security update
Edward Allcutt
emallcut at gleim.com
Wed Feb 11 17:26:23 UTC 2009
Dear team,
The recent updates for libgnutls fixed CVE-2008-4989. Unfortunately (at
least in my opinion) this also subtly changed the semantics of trusted
certificate lists. Version 1 X509 certificates in the list are no longer
trusted as CAs unless an extra flag is set.
Several users of libgnutls (I've had the problem with nss_ldap, pam_ldap
and apache2 mod_authnz_ldap) assume that all certificates in the list
will be implicitly trusted. See #514807.
This change actually brings gnutls in line with its documentation,
however it is still a change in behavior that I think is unsuitable for
a stable security update.
I believe this is a significant regression in stable because at least
one widely used CA (godaddy) still issues certificates with a chain
ending in a v1 root (ValiCert Class 2). Godaddy appears to have a newer
v3 root but I don't know how widely deployed this is. It is not in the
etch ca-certificates package for example.
This also affects the same set of packages in lenny. I suppose the
"right" way to solve it in lenny would be to patch all the libgnutls
users which assume v1 CAs should be trusted. However I'm not sure of the
reaction to filing several possibly RC bugs at this point.
--
Edward Allcutt
Network Operations
More information about the Pkg-gnutls-maint
mailing list