Re: Analysis of vulnerability GNUTLS-SA-2008-3 CVE-2008-4989

gnutls-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Analysis of vulnerability GNUTLS-SA-2008-3 CVE-2008-4989

From:	Simon Josefsson
Subject:	Re: Analysis of vulnerability GNUTLS-SA-2008-3 CVE-2008-4989
Date:	Mon, 10 Nov 2008 19:34:46 +0100
User-agent:	Gnus/5.110011 (No Gnus v0.11) Emacs/22.2 (gnu/linux)

Andreas Metzler <address@hidden> writes:

> On 2008-11-10 Martin von Gagern <address@hidden> wrote:
>> This is an analysis fo the GNU TLS vulnerability recently published as
>> GNUTLS-SA-2008-3 and CVE-2008-4989.
>
>> I found a bug in GNU TLS which breaks X.509 certificate chain
>> verification. This allows a man in the middle to assume any name and
>> trick GNU TLS clients into trusting that name.
> [...]
>
> This seems to apply to every recent gnutls version (at least even
> 1.4.4 shows the same output. Can you confirm that?

Yes, the buggy code is rather old so it affects many versions.

/Simon

[Prev in Thread]

Current Thread

[Next in Thread]

Analysis of vulnerability GNUTLS-SA-2008-3 CVE-2008-4989, Martin von Gagern, 2008/11/10
- Re: Analysis of vulnerability GNUTLS-SA-2008-3 CVE-2008-4989, Andreas Metzler, 2008/11/10
  - Re: Analysis of vulnerability GNUTLS-SA-2008-3 CVE-2008-4989, Simon Josefsson <=

Prev by Date: Re: Analysis of vulnerability GNUTLS-SA-2008-3 CVE-2008-4989
Next by Date: Re: The _gnutls_x509_verify_certificate fix
Previous by thread: Re: Analysis of vulnerability GNUTLS-SA-2008-3 CVE-2008-4989
Next by thread: Re: Bug#503833: Unparseable PKCS cert
Index(es):
- Date
- Thread