GLSA Advocate
Joined: 12 May 2004 Posts: 2663
|
Posted: Wed Jan 14, 2009 11:26 pm Post subject: [ GLSA 200901-10 ] GnuTLS: Certificate validation error |
|
|
Gentoo Linux Security Advisory
Title: GnuTLS: Certificate validation error (GLSA 200901-10)
Severity: normal
Exploitable: remote
Date: January 14, 2009
Bug(s): #245850
ID: 200901-10
Synopsis
A certificate validation error in GnuTLS might allow for spoofing attacks.
Background
GnuTLS is an open-source implementation of TLS 1.0 and SSL 3.0.
Affected Packages
Package: net-libs/gnutls
Vulnerable: < 2.4.1-r2
Unaffected: >= 2.4.1-r2
Architectures: All supported architectures
Description
Martin von Gagern reported that the _gnutls_x509_verify_certificate()
function in lib/x509/verify.c trusts certificate chains in which the
last certificate is an arbitrary trusted, self-signed certificate.
Impact
A remote attacker could exploit this vulnerability and spoof arbitrary
names to conduct Man-In-The-Middle attacks and intercept sensitive
information.
Workaround
There is no known workaround at this time.
Resolution
All GnuTLS users should upgrade to the latest version:
Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=net-libs/gnutls-2.4.1-r2" |
References
CVE-2008-4989
Last edited by GLSA on Wed Feb 13, 2013 4:28 am; edited 2 times in total |
|