[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Analysis of vulnerability GNUTLS-SA-2008-3 CVE-2008-4989
From: |
Andreas Metzler |
Subject: |
Re: Analysis of vulnerability GNUTLS-SA-2008-3 CVE-2008-4989 |
Date: |
Mon, 10 Nov 2008 19:15:04 +0100 |
User-agent: |
Mutt/1.5.18 (2008-05-17) |
On 2008-11-10 Martin von Gagern <address@hidden> wrote:
> This is an analysis fo the GNU TLS vulnerability recently published as
> GNUTLS-SA-2008-3 and CVE-2008-4989.
> I found a bug in GNU TLS which breaks X.509 certificate chain
> verification. This allows a man in the middle to assume any name and
> trick GNU TLS clients into trusting that name.
[...]
This seems to apply to every recent gnutls version (at least even
1.4.4 shows the same output. Can you confirm that?
cu and- not trusting myself currently -reas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'