From ${URL} : It was reported [1] that a version 1 intermediate certificate would be considered as a CA certificate by GnuTLS by default. This certificate verification behaviour deviates from the documented behaviour. Upstream notes that this only affects individuals or organizations who have a CA that issues X.509 version 1 certificates in their trusted list. This has been fixed upstream [2] in version 3.1.21 and 3.2.11. At a quick look at the code of GnuTLS 2.8.5, it is affected. 1.4.1 looks affected to me as well. [1] http://www.gnutls.org/security.html [2] https://www.gitorious.org/gnutls/gnutls/commit/b1abfe3d18 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
(In reply to Agostino Sarubbo from comment #0) > @maintainer(s): after the bump, in case we need to stabilize the package, > please let us know if it is ready for the stabilization or not. 3.2.11 added to the tree, we're not stabilizing gnutls-3* quite yet.
Can we patch 2.12.X with the patch provided to make the stable version secure?
(In reply to Yury German from comment #2) > Can we patch 2.12.X with the patch provided to make the stable version > secure? Why did you change A3 [upstream/ebuild] → A3 [ebuild] if there isn't an upstream version?
(In reply to Agostino Sarubbo from comment #3) > Why did you change A3 [upstream/ebuild] → A3 [ebuild] if there isn't an > upstream version? Ago, a patch is available from upstream as part of the security announcement.
(In reply to Yury German from comment #4) > (In reply to Agostino Sarubbo from comment #3) > > Why did you change A3 [upstream/ebuild] → A3 [ebuild] if there isn't an > > upstream version? > > Ago, a patch is available from upstream as part of the security announcement. actually we are using the tag ebuild when there is a fixed version of the package and upstream/ebuild when only a patch is available.
gnutls-2.12.23-r4 in tree. Stabilize both this bug and bug#503394, no reason to do this twice.
Arches, Thank you for your work Maintainer(s), please drop the vulnerable version. Added to existing GLSA request.
Maintainer(s), please drop the vulnerable version.
(In reply to Yury German from comment #8) > Maintainer(s), please drop the vulnerable version. Done.
Thank you for cleanup! (In reply to Alon Bar-Lev from comment #9) > (In reply to Yury German from comment #8) > > Maintainer(s), please drop the vulnerable version. > > Done.
CVE-2014-1959 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1959): lib/x509/verify.c in GnuTLS before 3.1.21 and 3.2.x before 3.2.11 treats version 1 X.509 certificates as intermediate CAs, which allows remote attackers to bypass intended restrictions by leveraging a X.509 V1 certificate from a trusted CA to issue new certificates.
This issue was resolved and addressed in GLSA 201406-09 at http://security.gentoo.org/glsa/glsa-201406-09.xml by GLSA coordinator Mikle Kolyada (Zlogene).