Bug#541439: CVE-2009-2730: does not properly handle a '\0' character
ametzler at downhill.at.eu.org
Sat Aug 15 12:20:56 UTC 2009
On 2009-08-14 Giuseppe Iuculano <giuseppe at iuculano.it> wrote:
> Package: gnutls26
> Severity: serious
> Tags: security
> the following CVE (Common Vulnerabilities & Exposures) id was
> published for gnutls26.
> | libgnutls in GnuTLS before 2.8.2 does not properly handle a '\0'
> | character in a domain name in the subject's (1) Common Name (CN) or
> | (2) Subject Alternative Name (SAN) field of an X.509 certificate,
> | which allows man-in-the-middle attackers to spoof arbitrary SSL
> | servers via a crafted certificate issued by a legitimate Certification
> | Authority.
> If you fix the vulnerability please also make sure to include the
> CVE id in your changelog entry.
> Could you check if gnutls13 is affected please?
> For further information see:
>  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2730
Jamie Strandboge has generated patches for older versions of gnutls
and posted them in
The patch for 2.4.x applies cleanly to the lenny release and seems to
fix the issue. - None of these apply to the etch-version, though.
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
More information about the Pkg-gnutls-maint