Bug#505360: libgnutls26: CVE-2008-4989 security flaw in certificate chain verification
michael.s.gilbert at gmail.com
Tue Nov 11 20:55:13 UTC 2008
Justification: user security hole
redhat has just released an update that fixes a security flaw in gnutls .
the CVE page  indicates that the issue is currently reserved, but redhat
describes the problem as:
Martin von Gagern discovered a flaw in the way GnuTLS verified certificate
chains provided by a server. A malicious server could use this flaw to
spoof its identity by tricking client applications using the GnuTLS library
to trust invalid certificates. (CVE-2008-4989)
redhat describes this as a "moderate severity" issue, so i assume that this
should be tracked as medium-urgency in debian.
it is not clear which versions are affected. the redhat updates are only
for their enterprise (rhel 5) version, which is gnutls 1.4.1.
More information about the Pkg-gnutls-maint