Joined: 12 May 2004
|Posted: Wed Jan 14, 2009 11:26 pm Post subject: [ GLSA 200901-10 ] GnuTLS: Certificate validation error
|Gentoo Linux Security Advisory
Title: GnuTLS: Certificate validation error (GLSA 200901-10)
Date: January 14, 2009
A certificate validation error in GnuTLS might allow for spoofing attacks.
GnuTLS is an open-source implementation of TLS 1.0 and SSL 3.0.
Vulnerable: < 2.4.1-r2
Unaffected: >= 2.4.1-r2
Architectures: All supported architectures
Martin von Gagern reported that the _gnutls_x509_verify_certificate()
function in lib/x509/verify.c trusts certificate chains in which the
last certificate is an arbitrary trusted, self-signed certificate.
A remote attacker could exploit this vulnerability and spoof arbitrary
names to conduct Man-In-The-Middle attacks and intercept sensitive
There is no known workaround at this time.
All GnuTLS users should upgrade to the latest version:
|# emerge --sync
# emerge --ask --oneshot --verbose ">=net-libs/gnutls-2.4.1-r2"
Last edited by GLSA on Wed Feb 13, 2013 4:28 am; edited 2 times in total