Debian Bug report logs - #505360
libgnutls26: CVE-2008-4989 security flaw in certificate chain verification

version graph

Package: libgnutls26; Maintainer for libgnutls26 is Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>; Source for libgnutls26 is src:gnutls26.

Reported by: "Michael Gilbert" <michael.s.gilbert@gmail.com>

Date: Tue, 11 Nov 2008 20:57:01 UTC

Severity: grave

Tags: security

Found in version gnutls26/2.2.1-2

Fixed in versions gnutls26/2.4.2-2, gnutls26/2.6.2-1

Done: Andreas Metzler <ametzler@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>:
Bug#505360; Package libgnutls26. (Tue, 11 Nov 2008 20:57:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Michael Gilbert" <michael.s.gilbert@gmail.com>:
New Bug report received and forwarded. Copy sent to Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>. (Tue, 11 Nov 2008 20:57:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: "Michael Gilbert" <michael.s.gilbert@gmail.com>
To: submit@bugs.debian.org
Subject: libgnutls26: CVE-2008-4989 security flaw in certificate chain verification
Date: Tue, 11 Nov 2008 15:55:13 -0500
Package: libgnutls26
Version: 2.4.2-2
Severity: grave
Tags: security
Justification: user security hole

redhat has just released an update that fixes a security flaw in gnutls [1].
the CVE page [2] indicates that the issue is currently reserved, but redhat
describes the problem as:

 Martin von Gagern discovered a flaw in the way GnuTLS verified certificate
 chains provided by a server. A malicious server could use this flaw to
 spoof its identity by tricking client applications using the GnuTLS library
 to trust invalid certificates. (CVE-2008-4989)

redhat describes this as a "moderate severity" issue, so i assume that this
should be tracked as medium-urgency in debian.

it is not clear which versions are affected.  the redhat updates are only
for their enterprise (rhel 5) version, which is gnutls 1.4.1.

[1] https://rhn.redhat.com/errata/RHSA-2008-0982.html
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4989




Information forwarded to debian-bugs-dist@lists.debian.org, Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>:
Bug#505360; Package libgnutls26. (Wed, 12 Nov 2008 18:06:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Andreas Metzler <ametzler@downhill.at.eu.org>:
Extra info received and forwarded to list. Copy sent to Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>. (Wed, 12 Nov 2008 18:06:02 GMT) Full text and rfc822 format available.

Message #10 received at 505360@bugs.debian.org (full text, mbox):

From: Andreas Metzler <ametzler@downhill.at.eu.org>
To: Michael Gilbert <michael.s.gilbert@gmail.com>, 505360@bugs.debian.org
Subject: Re: Bug#505360: libgnutls26: CVE-2008-4989 security flaw in certificate chain verification
Date: Wed, 12 Nov 2008 19:00:24 +0100
# On 2008-11-11 Michael Gilbert <michael.s.gilbert@gmail.com> wrote:
# > Package: libgnutls26
# > Version: 2.4.2-2
# > Severity: grave
# > Tags: security
# > Justification: user security hole
# 
# > redhat has just released an update that fixes a security flaw in gnutls [1].
# > the CVE page [2] indicates that the issue is currently reserved, but redhat
# > describes the problem as:
# 
# >  Martin von Gagern discovered a flaw in the way GnuTLS verified certificate
# >  chains provided by a server. A malicious server could use this flaw to
# >  spoof its identity by tricking client applications using the GnuTLS library
# >  to trust invalid certificates. (CVE-2008-4989)
# 
# > redhat describes this as a "moderate severity" issue, so i assume that this
# > should be tracked as medium-urgency in debian.
# 
# > it is not clear which versions are affected.  the redhat updates are only
# > for their enterprise (rhel 5) version, which is gnutls 1.4.1.
# 
# > [1] https://rhn.redhat.com/errata/RHSA-2008-0982.html
# > [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4989

# Bug applies to every gnutls26 upload, mark it as found in first
# upload to unstable.
found 505360 2.2.1-2
# This bug is already fixed in the version you reported the bug
# against.
notfound 505360 2.4.2-2
clone 505360 -1

close 505360 2.4.2-2

# Bug also applies to gnutls13
reassign -1 libgnutls13
found -1 1.4.4-3
thanks

cu andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'




Bug marked as found in version 2.2.1-2. Request was from Andreas Metzler <ametzler@downhill.at.eu.org> to control@bugs.debian.org. (Wed, 12 Nov 2008 18:06:05 GMT) Full text and rfc822 format available.

Bug no longer marked as found in version 2.4.2-2. Request was from Andreas Metzler <ametzler@downhill.at.eu.org> to control@bugs.debian.org. (Wed, 12 Nov 2008 18:06:05 GMT) Full text and rfc822 format available.

Bug 505360 cloned as bug 505469. Request was from Andreas Metzler <ametzler@downhill.at.eu.org> to control@bugs.debian.org. (Wed, 12 Nov 2008 18:06:06 GMT) Full text and rfc822 format available.

Bug marked as fixed in version 2.4.2-2, send any further explanations to "Michael Gilbert" <michael.s.gilbert@gmail.com> Request was from Andreas Metzler <ametzler@downhill.at.eu.org> to control@bugs.debian.org. (Wed, 12 Nov 2008 18:06:09 GMT) Full text and rfc822 format available.

Reply sent to Andreas Metzler <ametzler@debian.org>:
You have taken responsibility. (Thu, 13 Nov 2008 20:06:04 GMT) Full text and rfc822 format available.

Notification sent to "Michael Gilbert" <michael.s.gilbert@gmail.com>:
Bug acknowledged by developer. (Thu, 13 Nov 2008 20:06:05 GMT) Full text and rfc822 format available.

Message #23 received at 505360-close@bugs.debian.org (full text, mbox):

From: Andreas Metzler <ametzler@debian.org>
To: 505360-close@bugs.debian.org
Subject: Bug#505360: fixed in gnutls26 2.6.2-1
Date: Thu, 13 Nov 2008 19:32:04 +0000
Source: gnutls26
Source-Version: 2.6.2-1

We believe that the bug you reported is fixed in the latest version of
gnutls26, which is due to be installed in the Debian FTP archive:

gnutls-bin_2.6.2-1_i386.deb
  to pool/main/g/gnutls26/gnutls-bin_2.6.2-1_i386.deb
gnutls-doc_2.6.2-1_all.deb
  to pool/main/g/gnutls26/gnutls-doc_2.6.2-1_all.deb
gnutls26_2.6.2-1.diff.gz
  to pool/main/g/gnutls26/gnutls26_2.6.2-1.diff.gz
gnutls26_2.6.2-1.dsc
  to pool/main/g/gnutls26/gnutls26_2.6.2-1.dsc
gnutls26_2.6.2.orig.tar.gz
  to pool/main/g/gnutls26/gnutls26_2.6.2.orig.tar.gz
guile-gnutls_2.6.2-1_i386.deb
  to pool/main/g/gnutls26/guile-gnutls_2.6.2-1_i386.deb
libgnutls-dev_2.6.2-1_i386.deb
  to pool/main/g/gnutls26/libgnutls-dev_2.6.2-1_i386.deb
libgnutls26-dbg_2.6.2-1_i386.deb
  to pool/main/g/gnutls26/libgnutls26-dbg_2.6.2-1_i386.deb
libgnutls26_2.6.2-1_i386.deb
  to pool/main/g/gnutls26/libgnutls26_2.6.2-1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 505360@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Andreas Metzler <ametzler@debian.org> (supplier of updated gnutls26 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 13 Nov 2008 19:30:06 +0100
Source: gnutls26
Binary: libgnutls-dev libgnutls26 libgnutls26-dbg gnutls-bin gnutls-doc guile-gnutls
Architecture: source all i386
Version: 2.6.2-1
Distribution: experimental
Urgency: low
Maintainer: Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>
Changed-By: Andreas Metzler <ametzler@debian.org>
Description: 
 gnutls-bin - the GNU TLS library - commandline utilities
 gnutls-doc - the GNU TLS library - documentation and examples
 guile-gnutls - the GNU TLS library - GNU Guile bindings
 libgnutls-dev - the GNU TLS library - development files
 libgnutls26 - the GNU TLS library - runtime library
 libgnutls26-dbg - GNU TLS library - debugger symbols
Closes: 505360
Changes: 
 gnutls26 (2.6.2-1) experimental; urgency=low
 .
   * New upstream version.
     + Fixes certification verifaction error CVE-2008-4989. Closes: #505360
     + Drop 20_fix_501077.diff.
   * ia64 has guile-1.8 nowadays, let's try building the guile-gnutls wrappper
     there.
   * Add Simon Josefsson to uploaders.
Checksums-Sha1: 
 62cec831e2cc4c1a494669a3c8b77672e3f610a3 1576 gnutls26_2.6.2-1.dsc
 b894618226dab33e1cfc6da04572359607be895f 6078585 gnutls26_2.6.2.orig.tar.gz
 046c53f8ea7cbec90884ee647d6abd2277f5314b 14664 gnutls26_2.6.2-1.diff.gz
 0fd4f50a163e40340dba70d4b9c5e528cff23d2e 2835304 gnutls-doc_2.6.2-1_all.deb
 b38f0498fb82f1981d3ad691d913fc3092eec54a 545362 libgnutls-dev_2.6.2-1_i386.deb
 5f00108c713304cf55563f6788f842cb8bc2c4fd 476672 libgnutls26_2.6.2-1_i386.deb
 587aa3106a9260b2b72b36672b3ce611dfb4e2fa 1054680 libgnutls26-dbg_2.6.2-1_i386.deb
 70d38c0fffdd2280d7e110020963b3a7d4afbdc5 280420 gnutls-bin_2.6.2-1_i386.deb
 1011ad7110269067113086ad1faa1b5c530b7429 215210 guile-gnutls_2.6.2-1_i386.deb
Checksums-Sha256: 
 4f60a3fc3ec5a2fb71edab3cbe508aa6526e5b1f24d341dba149dcd47bdaa18f 1576 gnutls26_2.6.2-1.dsc
 bc229ea11085666fda7eeaad1ecd44de4bbc83bdc0b836688f6e6bc8f0c95b5f 6078585 gnutls26_2.6.2.orig.tar.gz
 6f1666fcefafe3b4f58cf5ed89ef6cd0a0b3d8a13070187b75a2f4f69d830dcd 14664 gnutls26_2.6.2-1.diff.gz
 fce39ca3741bca3d90225ba2d200d1e8794af7766a508a1595dd712b27407dac 2835304 gnutls-doc_2.6.2-1_all.deb
 37b3e40678f79ffd8ddab2ea4e19e9abcca70eaea8099747cb645e21a9854e48 545362 libgnutls-dev_2.6.2-1_i386.deb
 7d6fc0beaaad60ac28eea9485d762531970e39d2056a8e65a14fe0cde6a7551b 476672 libgnutls26_2.6.2-1_i386.deb
 bdb5ff2e1f22209ca4ec8719e53abe1a4ec85ae291d08321d1528e919acc671b 1054680 libgnutls26-dbg_2.6.2-1_i386.deb
 6d959d80851b76ba4586af27e85d9c13190b12d16e27b3d3bb05f51a823aa4e8 280420 gnutls-bin_2.6.2-1_i386.deb
 2bf24b41386a71ed7f7b3594dcfdd151026f6697fce306e4d3407c685ed1071c 215210 guile-gnutls_2.6.2-1_i386.deb
Files: 
 d44197263107dc4d2028bf2903feb34f 1576 devel optional gnutls26_2.6.2-1.dsc
 2962ff0164669294a510a87e8914f1a5 6078585 devel optional gnutls26_2.6.2.orig.tar.gz
 dee5666c158aa5344d52f8469262d944 14664 devel optional gnutls26_2.6.2-1.diff.gz
 6c1eb51fde88f64b5e44d167f2af2dda 2835304 doc optional gnutls-doc_2.6.2-1_all.deb
 c39e42ac84086152d205e3341c958011 545362 libdevel optional libgnutls-dev_2.6.2-1_i386.deb
 08e096dfde7592f9607d6b9ea2b66eea 476672 libs important libgnutls26_2.6.2-1_i386.deb
 4fc8b46623c43e5f3ba4c86ab310d0d1 1054680 devel extra libgnutls26-dbg_2.6.2-1_i386.deb
 f2198cc89af33f7d8a75f254d47fae37 280420 net optional gnutls-bin_2.6.2-1_i386.deb
 4944355a92455a39c54538519e5565e9 215210 libs optional guile-gnutls_2.6.2-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkkcfSgACgkQHTOcZYuNdmPYxwCfb5euK5ibqXeUj0AbH2PLRJfD
QfAAoIwV0WvAG+f3w3hi8V9UW7fRiPkG
=iPCg
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 03 May 2009 07:30:29 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 13:56:44 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.