Date: Tue, 25 Feb 2014 22:00:16 +0100 From: Tomas Hoger <thoger@...hat.com> To: oss-security@...ts.openwall.com Cc: cve-assign@...re.org, mancha1@...h.com Subject: Re: Re: CVE Request - GnuTLS corrects flaw in certificate verification (3.1.x/3.2.x) On Thu, 13 Feb 2014 15:30:53 -0500 (EST) cve-assign@...re.org wrote: > > http://gnutls.org/security.html > > GNUTLS-SA-2014-1 > > > https://www.gitorious.org/gnutls/gnutls/commit/b1abfe3d18 > > Use CVE-2014-1959. GnuTLS versions before 2.7.6 contained different bug that caused GnuTLS to accept V1 intermediate CAs by default, while no V1 CAs were meant to be accepted unless GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT or GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT verification flags were used. https://bugzilla.redhat.com/show_bug.cgi?id=1069301 This should get a separate CVE. -- Tomas Hoger / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ