|Main Archive Page > Month Archives > full-disclosure-uk archives|
-----BEGIN PGP SIGNED MESSAGE-----
A certificate validation error in GnuTLS might allow for spoofing attacks.
GnuTLS is an open-source implementation of TLS 1.0 and SSL 3.0.
Martin von Gagern reported that the _gnutls_x509_verify_certificate() function in lib/x509/verify.c trusts certificate chains in which the last certificate is an arbitrary trusted, self-signed certificate.
A remote attacker could exploit this vulnerability and spoof arbitrary names to conduct Man-In-The-Middle attacks and intercept sensitive information.
There is no known workaround at this time.
All GnuTLS users should upgrade to the latest version: ~ # emerge --sync ~ # emerge --ask --oneshot --verbose ">=net-libs/gnutls-2.4.1-r2"
~ [ 1 ] CVE-2008-4989
This GLSA and any updates to it are available for viewing at the Gentoo Security Website:
Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to firstname.lastname@example.org or alternatively, you may file a bug at http://bugs.gentoo.org.
Copyright 2009 Gentoo Foundation, Inc; referenced text belongs to its owner(s).
The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----