Re: Analysis of vulnerability GNUTLS-SA-2008-3 CVE-2008-4989

gnutls-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Analysis of vulnerability GNUTLS-SA-2008-3 CVE-2008-4989

From:	Andreas Metzler
Subject:	Re: Analysis of vulnerability GNUTLS-SA-2008-3 CVE-2008-4989
Date:	Mon, 10 Nov 2008 19:15:04 +0100
User-agent:	Mutt/1.5.18 (2008-05-17)

On 2008-11-10 Martin von Gagern <address@hidden> wrote:
> This is an analysis fo the GNU TLS vulnerability recently published as
> GNUTLS-SA-2008-3 and CVE-2008-4989.

> I found a bug in GNU TLS which breaks X.509 certificate chain
> verification. This allows a man in the middle to assume any name and
> trick GNU TLS clients into trusting that name.
[...]

This seems to apply to every recent gnutls version (at least even
1.4.4 shows the same output. Can you confirm that?

cu and- not trusting myself currently -reas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

[Prev in Thread]

Current Thread

[Next in Thread]

Analysis of vulnerability GNUTLS-SA-2008-3 CVE-2008-4989, Martin von Gagern, 2008/11/10
- Re: Analysis of vulnerability GNUTLS-SA-2008-3 CVE-2008-4989, Andreas Metzler <=
  - Re: Analysis of vulnerability GNUTLS-SA-2008-3 CVE-2008-4989, Simon Josefsson, 2008/11/10

Prev by Date: Re: The _gnutls_x509_verify_certificate fix
Next by Date: Re: Analysis of vulnerability GNUTLS-SA-2008-3 CVE-2008-4989
Previous by thread: Analysis of vulnerability GNUTLS-SA-2008-3 CVE-2008-4989
Next by thread: Re: Analysis of vulnerability GNUTLS-SA-2008-3 CVE-2008-4989
Index(es):
- Date
- Thread