CVE-2009-1417
Published: 30 April 2009
gnutls-cli in GnuTLS before 2.6.6 does not verify the activation and expiration times of X.509 certificates, which allows remote attackers to successfully present a certificate that is (1) not yet valid or (2) no longer valid, related to lack of time checks in the _gnutls_x509_verify_certificate function in lib/x509/verify.c in libgnutls_x509, as used by (a) Exim, (b) OpenLDAP, and (c) libsoup.
Notes
Author | Note |
---|---|
jdstrand | from Debian: "[lenny] - gnutls26 <no-dsa> (Minor issue, explicitly labeled as a test program)" from upstream: "We are concerned that changing the semantics of an existing function in this way may be seen as backwards incompatible, but we believe having a default-secure mode should carry more weight here." problem is that while gnutls-cli does report the expiration properly, it does not exit with error if the certificate is not active or expired. The upstream patches are not backwards compatible and the risk of regression in changing the library far outweighs the security benefit of applying this patch to adjust the return code for gnutls-bin. It is possible to adjust the return code of gnutls-bin, but this would require diverging from upstream and causing maintenance problems down the road. |
Priority
Status
Package | Release | Status |
---|---|---|
gnutls11 Launchpad, Ubuntu, Debian |
dapper |
Ignored
|
hardy |
Does not exist
|
|
intrepid |
Does not exist
|
|
jaunty |
Does not exist
|
|
upstream |
Needs triage
|
|
gnutls12 Launchpad, Ubuntu, Debian |
dapper |
Ignored
|
hardy |
Does not exist
|
|
intrepid |
Does not exist
|
|
jaunty |
Does not exist
|
|
upstream |
Needs triage
|
|
gnutls13 Launchpad, Ubuntu, Debian |
dapper |
Does not exist
|
hardy |
Ignored
|
|
intrepid |
Does not exist
|
|
jaunty |
Does not exist
|
|
upstream |
Needs triage
|
|
gnutls26 Launchpad, Ubuntu, Debian |
dapper |
Does not exist
|
hardy |
Does not exist
|
|
intrepid |
Ignored
|
|
jaunty |
Ignored
|
|
upstream |
Released
(2.6.6-1)
|