Processed: Re: Bug#505360: libgnutls26: CVE-2008-4989 security flaw in certificate chain verification
Debian Bug Tracking System
owner at bugs.debian.org
Wed Nov 12 18:06:11 UTC 2008
Processing commands for control at bugs.debian.org:
> # On 2008-11-11 Michael Gilbert <michael.s.gilbert at gmail.com> wrote:
> # > Package: libgnutls26
> # > Version: 2.4.2-2
> # > Severity: grave
> # > Tags: security
> # > Justification: user security hole
> #
> # > redhat has just released an update that fixes a security flaw in gnutls [1].
> # > the CVE page [2] indicates that the issue is currently reserved, but redhat
> # > describes the problem as:
> #
> # > Martin von Gagern discovered a flaw in the way GnuTLS verified certificate
> # > chains provided by a server. A malicious server could use this flaw to
> # > spoof its identity by tricking client applications using the GnuTLS library
> # > to trust invalid certificates. (CVE-2008-4989)
> #
> # > redhat describes this as a "moderate severity" issue, so i assume that this
> # > should be tracked as medium-urgency in debian.
> #
> # > it is not clear which versions are affected. the redhat updates are only
> # > for their enterprise (rhel 5) version, which is gnutls 1.4.1.
> #
> # > [1] https://rhn.redhat.com/errata/RHSA-2008-0982.html
> # > [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4989
> # Bug applies to every gnutls26 upload, mark it as found in first
> # upload to unstable.
> found 505360 2.2.1-2
Bug#505360: libgnutls26: CVE-2008-4989 security flaw in certificate chain verification
Bug marked as found in version 2.2.1-2.
> # This bug is already fixed in the version you reported the bug
> # against.
> notfound 505360 2.4.2-2
Bug#505360: libgnutls26: CVE-2008-4989 security flaw in certificate chain verification
Bug no longer marked as found in version 2.4.2-2.
> clone 505360 -1
Bug#505360: libgnutls26: CVE-2008-4989 security flaw in certificate chain verification
Bug 505360 cloned as bug 505469.
> close 505360 2.4.2-2
Bug#505360: libgnutls26: CVE-2008-4989 security flaw in certificate chain verification
'close' is deprecated; see http://www.debian.org/Bugs/Developer#closing.
Bug marked as fixed in version 2.4.2-2, send any further explanations to "Michael Gilbert" <michael.s.gilbert at gmail.com>
> # Bug also applies to gnutls13
> reassign -1 libgnutls13
Bug#505469: libgnutls26: CVE-2008-4989 security flaw in certificate chain verification
Bug reassigned from package `libgnutls26' to `libgnutls13'.
> found -1 1.4.4-3
Bug#505469: libgnutls26: CVE-2008-4989 security flaw in certificate chain verification
Bug marked as found in version 1.4.4-3.
> thanks
Stopping processing here.
Please contact me if you need assistance.
Debian bug tracking system administrator
(administrator, Debian Bugs database)
More information about the Pkg-gnutls-maint
mailing list