[Forgot Password]
Login  Register Subscribe

23631

 
 

115038

 
 

96174

 
 

909

 
 

78077

 
 

109

Paid content will be excluded from the download.


Download | Alert*
OVAL

USN-809-1 -- GnuTLS vulnerabilities

ID: oval:org.secpod.oval:def:700429Date: (C)2011-05-13   (M)2017-10-04
Class: PATCHFamily: unix




Moxie Marlinspike and Dan Kaminsky independently discovered that GnuTLS did not properly handle certificates with NULL characters in the certificate name. An attacker could exploit this to perform a man in the middle attack to view sensitive information or alter encrypted communications. Dan Kaminsky discovered GnuTLS would still accept certificates with MD2 hash signatures. As a result, an attacker could potentially create a malicious trusted certificate to impersonate another site. This issue only affected Ubuntu 6.06 LTS and Ubuntu 8.10. USN-678-1 fixed a vulnerability and USN-678-2 a regression in GnuTLS. The upstream patches introduced a regression when validating certain certificate chains that would report valid certificates as untrusted. This update fixes the problem, and only affected Ubuntu 6.06 LTS and Ubuntu 8.10 . In an effort to maintain a strong security stance and address all known regressions, this update deprecates X.509 validation chains using MD2 and MD5 signatures. To accomodate sites which must still use a deprected RSA-MD5 certificate, GnuTLS has been updated to stop looking when it has found a trusted intermediary certificate. This new handling of intermediary certificates is in accordance with other SSL implementations. Original advisory details: Martin von Gagern discovered that GnuTLS did not properly verify certificate chains when the last certificate in the chain was self-signed. If a remote attacker were able to perform a man-in-the-middle attack, this flaw could be exploited to view sensitive information

Platform:
Ubuntu 8.04
Ubuntu 9.04
Ubuntu 6.06
Ubuntu 8.10
Product:
GnuTLS
Reference:
USN-809-1
CVE-2009-2409
CVE-2009-2730
CVE-2008-4989
CVE    3
CVE-2009-2409
CVE-2009-2730
CVE-2008-4989
CPE    1
cpe:/o:ubuntu:ubuntu_linux:8.04

© 2013 SecPod Technologies