FreeBSD Bugzilla – Attachment 91505 Details for
Bug 128868
[vuxml] security/gnutls: CVE-2008-4989 and update to 2.4.2
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
vuln.xml
vuln.xml (text/plain), 2.17 KB, created by
Eygene Ryabinkin
on 2008-11-14 15:00:10 UTC
(
hide
)
Description:
vuln.xml
Filename:
MIME Type:
Creator:
Eygene Ryabinkin
Created:
2008-11-14 15:00:10 UTC
Size:
2.17 KB
patch
obsolete
> <vuln vid=""> > <topic>GnuTLS -- X.509 certificate chain validation vulnerability</topic> > <affects> > <package> > <name>gnutls</name> > <range><gt>2.4.0</gt><lt>2.4.2</lt></range> > </package> > <package> > <name>gnutls</name> > <range><gt>2.6.0</gt><lt>2.6.1</lt></range> > </package> > </affects> > <description> > <body xmlns="http://www.w3.org/1999/xhtml"> > <p>Martin von Gagern reports:</p> > <blockquote cite="http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3217"> > <p>This is an analysis fo the GNU TLS vulnerability > recently published as GNUTLS-SA-2008-3 and CVE-2008-4989.</p> > > <p>I found a bug in GNU TLS which breaks X.509 certificate > chain verification. This allows a man in the middle to assume > any name and trick GNU TLS clients into trusting that name.</p> > > <p>This could be used to imitate a server using a specially > crafted server certificate chain together with DNS spoofing or > some way of intercepting packets along their route. It could > also be used to imitate clients authenticating to some service > using client certificates, again using specially crafted > certificate chains.</p> > </blockquote> > <p>Announcement of GnuTLS 2.6.1:</p> > <blockquote cite="http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3215"> > <p>Version 2.6.1 is a maintainance and security release > on our stable branch.</p> > > <p>** libgnutls: Fix X.509 certificate chain validation error. > [GNUTLS-SA-2008-3]</p> > > <p>The flaw makes it possible for man in the middle attackers > (i.e., active attackers) to assume any name and trick GNU TLS > clients into trusting that name. Thanks for report and > analysis from Martin von Gagern <Martin.vGagern <at> > gmx.net>. [CVE-2008-4989]</p> > </blockquote> > </body> > </description> > <references> > <cvename>CVE-2008-4989</cvename> > <url>http://www.gnu.org/software/gnutls/security.html</url> > <url>http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3217</url> > <url>http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3215</url> > </references> > <dates> > <discovery>2008-11-10</discovery> > </dates> > </vuln>
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=91505">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 128868
: 91505 |
91506
|
91507