Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 25 Feb 2014 22:00:16 +0100
From: Tomas Hoger <thoger@...hat.com>
To: oss-security@...ts.openwall.com
Cc: cve-assign@...re.org, mancha1@...h.com
Subject: Re: Re: CVE Request - GnuTLS corrects flaw in
 certificate verification (3.1.x/3.2.x)

On Thu, 13 Feb 2014 15:30:53 -0500 (EST) cve-assign@...re.org wrote:

> > http://gnutls.org/security.html
> > GNUTLS-SA-2014-1
> 
> > https://www.gitorious.org/gnutls/gnutls/commit/b1abfe3d18
> 
> Use CVE-2014-1959.

GnuTLS versions before 2.7.6 contained different bug that caused GnuTLS
to accept V1 intermediate CAs by default, while no V1 CAs were meant to
be accepted unless GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT or
GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT verification flags were used.

https://bugzilla.redhat.com/show_bug.cgi?id=1069301

This should get a separate CVE.

-- 
Tomas Hoger / Red Hat Security Response Team

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ