oss-sec mailing list archives
Re: Re: CVE Request - GnuTLS corrects flaw in certificate verification (3.1.x/3.2.x)
From: Tomas Hoger <thoger () redhat com>
Date: Tue, 25 Feb 2014 22:00:16 +0100
On Thu, 13 Feb 2014 15:30:53 -0500 (EST) cve-assign () mitre org wrote:
http://gnutls.org/security.html GNUTLS-SA-2014-1https://www.gitorious.org/gnutls/gnutls/commit/b1abfe3d18Use CVE-2014-1959.
GnuTLS versions before 2.7.6 contained different bug that caused GnuTLS to accept V1 intermediate CAs by default, while no V1 CAs were meant to be accepted unless GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT or GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT verification flags were used. https://bugzilla.redhat.com/show_bug.cgi?id=1069301 This should get a separate CVE. -- Tomas Hoger / Red Hat Security Response Team
Current thread:
- CVE Request - GnuTLS corrects flaw in certificate verification (3.1.x/3.2.x) mancha (Feb 13)
- Re: CVE Request - GnuTLS corrects flaw in certificate verification (3.1.x/3.2.x) cve-assign (Feb 13)
- Re: Re: CVE Request - GnuTLS corrects flaw in certificate verification (3.1.x/3.2.x) Tomas Hoger (Feb 25)
- Re: CVE Request - GnuTLS corrects flaw in certificate verification (3.1.x/3.2.x) cve-assign (Feb 26)
- Re: CVE Request - GnuTLS corrects flaw in certificate verification (3.1.x/3.2.x) Tomas Hoger (Feb 27)
- Re: Re: CVE Request - GnuTLS corrects flaw in certificate verification (3.1.x/3.2.x) Tomas Hoger (Feb 25)
- Re: CVE Request - GnuTLS corrects flaw in certificate verification (3.1.x/3.2.x) cve-assign (Feb 13)