59231 – net-libs/gnutls-1.0.17 Fixes certificate verification problem

Bug 59231 - net-libs/gnutls-1.0.17 Fixes certificate verification problem

Summary: net-libs/gnutls-1.0.17 Fixes certificate verification problem

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All All

Importance:	High minor (vote)
Assignee:	Gentoo Security

URL:	http://www.hornik.sk/SA/SA-20040802.txt
Whiteboard:	B4 [glsa?] jaervosz
Keywords:

Depends on:
Blocks:

Reported:	2004-08-02 23:25 UTC by Sune Kloppenborg Jeppesen (RETIRED)
Modified:	2011-10-30 22:40 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2004-08-02 23:25:38 UTC

Mr.   Hornik   has   discovered  error  in  X.509  certificate chain
verification procedure in GnuTLS library. The certificate chain should
be verified from last root certificate to the first certificate.
Otherwise  a lot of unauthorized CPU processing can be forced to check
certificate signatures signed with arbitrary RSA/DSA keys chosen by
attacker.

In GnuTLS the signatures are checked from first to last certificate,
there is no limit on size of keys and no limit on length of
certificate chain.

Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2004-08-02 23:31:37 UTC

Alastair please bump to 1.0.17

Comment 2 Alastair Tse (RETIRED) gentoo-dev

2004-08-04 06:33:19 UTC

bumped it in portage. although not stable yet.

Comment 3 Priit Laes (IRC: plaes) 2004-08-04 07:57:52 UTC

OpenCDK dep should be app-crypt/opencdk-0.5.5

Comment 4 Alastair Tse (RETIRED) gentoo-dev

2004-08-04 14:30:08 UTC

you are totally correct. its now fixed with the new opencdk committed.

Comment 5 Thierry Carrez (RETIRED) gentoo-dev

2004-08-05 00:44:01 UTC

Required keywords for security update :
"alpha amd64 hppa ia64 mips ppc ppc64 sparc x86"

Arches: please test and mark stable.

Comment 6 Thierry Carrez (RETIRED) gentoo-dev

2004-08-05 02:19:29 UTC

Decreasing priority, as this is not a very important security issue.

Comment 7 Gustavo Zacarias (RETIRED) gentoo-dev

2004-08-06 14:08:54 UTC

sparc stable!

Comment 8 Bryan Østergaard (RETIRED) gentoo-dev

2004-08-07 02:18:57 UTC

Stable on alpha.

Comment 9 Tom Martin (RETIRED) gentoo-dev

2004-08-07 09:09:17 UTC

Stable on amd64.

Comment 10 Luca Barbato gentoo-dev

2004-08-07 10:45:26 UTC

stable on ppc

Comment 11 Alastair Tse (RETIRED) gentoo-dev

2004-08-07 18:09:59 UTC

luca, opencdk 0.5.5 also needs to be marked stable for gnutls 1.0.17

Comment 12 Aron Griffis (RETIRED) gentoo-dev

2004-08-08 05:44:58 UTC

stable on ia64

Comment 13 Alastair Tse (RETIRED) gentoo-dev

2004-08-08 07:49:26 UTC

oops .. i didn't know that x86 was on the list

Comment 14 Thierry Carrez (RETIRED) gentoo-dev

2004-08-08 10:46:16 UTC

Ready for a GLSA decision.  Given the vulnerability profile, I would vote for "no".
hppa, mips, ppc64 : don't forget to mark stable in any case.

Comment 15 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2004-08-08 11:20:45 UTC

I vote for no GLSA on this one.

Comment 16 Guy Martin (RETIRED) gentoo-dev

2004-08-09 11:32:02 UTC

Done on hppa.

Comment 17 Luca Barbato gentoo-dev

2004-08-12 01:57:16 UTC

ppc should be ok

Comment 18 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2004-08-13 21:45:39 UTC

Closing without GLSA

mips and ppc64 remember to markstable.

Comment 19 Hardave Riar (RETIRED) gentoo-dev

2004-08-14 16:17:00 UTC

stable on mips

Comment 20 Tom Gall (RETIRED) gentoo-dev

2004-09-25 22:22:18 UTC

stable on ppc64