Debian Security Advisory 1719-2 - Changes in DSA-1719-1 caused GNUTLS to reject X.509v1 certificates as CA root certificates by default, as originally described in the documentation. However, it turned out that there is still significant use of historic X.509v1 CA root certificates, so this constitutes an unacceptable regression. This update reverses this part of the changes in DSA-1719-1. Note that the X.509v1 certificate format does not distinguish between server and CA certificates, which means that an X.509v1 server certificates is implicitly converted into a CA certificate when added to the trust store (which was the reason for the change in DSA-1719-1).
ddaa4f427a58bff69f2ca3a2aefc0c3300a52b36c422095c425fa6774c24fe5cDebian Security Advisory 1719-1 - Martin von Gagern discovered that GNUTLS, an implementation of the TLS/SSL protocol, handles verification of X.509 certificate chains incorrectly if a self-signed certificate is configured as a trusted certificate. This could cause clients to accept forged server certificates as genuine.
4f44055225319bc86bc380c24ce98f7fcde7c10571fccfac2926e45d7e7df4acGentoo Linux Security Advisory GLSA 200901-10 - A certificate validation error in GnuTLS might allow for spoofing attacks. Martin von Gagern reported that the _gnutls_x509_verify_certificate() function in lib/x509/verify.c trusts certificate chains in which the last certificate is an arbitrary trusted, self-signed certificate. Versions less than 2.4.1-r2 are affected.
546a34c942ac770823964c45d53398b233b2efafe5e1b7e29d324f13c99ef895Ubuntu Security Notice USN-678-1 - Martin von Gagern discovered that GnuTLS did not properly verify certificate chains when the last certificate in the chain was self-signed. If a remote attacker were able to perform a man-in-the-middle attack, this flaw could be exploited to view sensitive information.
539f7c707d1cb23af98c59af3f2135292874d0c88bb0f3a94232993f1d0dc46bMandriva Linux Security Advisory 2008-227-1 - Martin von Gagern found a flow in how GnuTLS versions 1.2.4 up until 2.6.1 verified certificate chains provided by a server. A malicious server could use this flaw to spoof its identity by tricking client applications that used the GnuTLS library to trust invalid certificates. It was found that the previously-published patch to correct this issue caused a regression when dealing with self-signed certificates. An updated patch that fixes the security issue and resolves the regression issue has been applied to these packages.
bac14626a031686f97e9d85f053eab14d2203b73251d868c94d7cd0108d40380Pardus Linux Security Advisory 2008-70 -A vulnerability has been reported in GnuTLS, which can be exploited by malicious people to bypass certain security restrictions. The vulnerability is caused due to an error when validating the X.509 certificate chain and can be exploited to spoof arbitrary names e.g. during a Man-in-the-Middle (MitM) attack.
3c2662b7e460287e9cc145ea7d0b9487ff84e81276c0932011ff5059ef43322bMandriva Linux Security Advisory - Martin von Gagern found a flow in how GnuTLS versions 1.2.4 up until 2.6.1 verified certificate chains provided by a server. A malicious server could use this flaw to spoof its identity by tricking client applications that used the GnuTLS library to trust invalid certificates. The updated packages have been patched to correct this issue.
0111abeb08bb42e780b644937c300f302aebebda1a1f47a4e9b45a5b6d908d34
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed