Home
Reading
Searching
Subscribe
Sponsors
Statistics
Posting
Contact
Spam
Lists
Links
About
Hosting
Filtering
Features Download
Marketing
Archives
FAQ
Blog
 
Gmane
From: Tomas Hoger <thoger-H+wXaHxf7aLQT0dZR+AlfA <at> public.gmane.org>
Subject: Re: Re: CVE Request - GnuTLS corrects flaw in certificate verification (3.1.x/3.2.x)
Newsgroups: gmane.comp.security.oss.general
Date: Tuesday 25th February 2014 21:00:16 UTC (over 3 years ago)
On Thu, 13 Feb 2014 15:30:53 -0500 (EST)
[email protected] wrote:

> > http://gnutls.org/security.html
> > GNUTLS-SA-2014-1
> 
> > https://www.gitorious.org/gnutls/gnutls/commit/b1abfe3d18
> 
> Use CVE-2014-1959.

GnuTLS versions before 2.7.6 contained different bug that caused GnuTLS
to accept V1 intermediate CAs by default, while no V1 CAs were meant to
be accepted unless GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT or
GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT verification flags were used.

https://bugzilla.redhat.com/show_bug.cgi?id=1069301

This should get a separate CVE.

-- 
Tomas Hoger / Red Hat Security Response Team
 
CD: 3ms