First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 59231
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Sune Kloppenborg Jeppesen <jaervosz@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 59231 depends on: Show dependency tree
Bug 59231 blocks:
Votes: 0    Show votes for this bug    Vote for this bug

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2004-08-02 23:25 0000 
Mr.   Hornik   has   discovered  error  in  X.509  certificate chain
verification procedure in GnuTLS library. The certificate chain should
be verified from last root certificate to the first certificate.
Otherwise  a lot of unauthorized CPU processing can be forced to check
certificate signatures signed with arbitrary RSA/DSA keys chosen by
attacker.

In GnuTLS the signatures are checked from first to last certificate,
there is no limit on size of keys and no limit on length of
certificate chain.

------- Comment #1 From Sune Kloppenborg Jeppesen 2004-08-02 23:31:37 0000 ------- 
Alastair please bump to 1.0.17

------- Comment #2 From Alastair Tse (RETIRED) 2004-08-04 06:33:19 0000 ------- 
bumped it in portage. although not stable yet.

------- Comment #3 From Priit Laes 2004-08-04 07:57:52 0000 ------- 
OpenCDK dep should be app-crypt/opencdk-0.5.5

------- Comment #4 From Alastair Tse (RETIRED) 2004-08-04 14:30:08 0000 ------- 
you are totally correct. its now fixed with the new opencdk committed.

------- Comment #5 From Thierry Carrez (RETIRED) 2004-08-05 00:44:01 0000 ------- 
Required keywords for security update :
"alpha amd64 hppa ia64 mips ppc ppc64 sparc x86"

Arches: please test and mark stable.

------- Comment #6 From Thierry Carrez (RETIRED) 2004-08-05 02:19:29 0000 ------- 
Decreasing priority, as this is not a very important security issue.

------- Comment #7 From Gustavo Zacarias (RETIRED) 2004-08-06 14:08:54 0000 ------- 
sparc stable!

------- Comment #8 From Bryan Østergaard (RETIRED) 2004-08-07 02:18:57 0000 ------- 
Stable on alpha.

------- Comment #9 From Tom Martin (RETIRED) 2004-08-07 09:09:17 0000 ------- 
Stable on amd64.

------- Comment #10 From Luca Barbato 2004-08-07 10:45:26 0000 ------- 
stable on ppc

------- Comment #11 From Alastair Tse (RETIRED) 2004-08-07 18:09:59 0000 ------- 
luca, opencdk 0.5.5 also needs to be marked stable for gnutls 1.0.17

------- Comment #12 From Aron Griffis (RETIRED) 2004-08-08 05:44:58 0000 ------- 
stable on ia64

------- Comment #13 From Alastair Tse (RETIRED) 2004-08-08 07:49:26 0000 ------- 
oops .. i didn't know that x86 was on the list

------- Comment #14 From Thierry Carrez (RETIRED) 2004-08-08 10:46:16 0000 ------- 
Ready for a GLSA decision.  Given the vulnerability profile, I would vote for
"no".
hppa, mips, ppc64 : don't forget to mark stable in any case.

------- Comment #15 From Sune Kloppenborg Jeppesen 2004-08-08 11:20:45 0000 ------- 
I vote for no GLSA on this one.

------- Comment #16 From Guy Martin 2004-08-09 11:32:02 0000 ------- 
Done on hppa.

------- Comment #17 From Luca Barbato 2004-08-12 01:57:16 0000 ------- 
ppc should be ok

------- Comment #18 From Sune Kloppenborg Jeppesen 2004-08-13 21:45:39 0000 ------- 
Closing without GLSA

mips and ppc64 remember to markstable.

------- Comment #19 From Hardave Riar (RETIRED) 2004-08-14 16:17:00 0000 ------- 
stable on mips

------- Comment #20 From Tom Gall 2004-09-25 22:22:18 0000 ------- 
stable on ppc64
First Last Prev Next    No search results available      Search page      Enter new bug