Bug#514807: Regression in libgnutls security update

Andreas Metzler ametzler at downhill.at.eu.org
Wed Feb 25 18:20:32 UTC 2009

On 2009-02-24 Florian Weimer <fw at deneb.enyo.de> wrote:
> * Simon Josefsson:
>> Florian Weimer <fw at deneb.enyo.de> writes:

>>> Simon, could we make the harmless variant (X.509v1 certificate set as
>>> trusted is accepted as a root CA, but intermediate X.509v1
>>> certificates aren't accepted) the default in etch?

>> It may be that the practical problems are more important than the
>> potential security problem here, which would argue for using the patch.

> This seems to be the case.

> I would like to apply the following patch to etch and lenny.  Any
> objections?


I have been watching this play out since other people participating in
this thread are more knowledgable than me. From what I have read I
also think this might the right thing to do. Do you intend to push
this through security or proposed updates?

sid and squeeze are probably better of with following upstream's policy
on that.

cu andreas
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

More information about the Pkg-gnutls-maint mailing list