Debian DSA-1719-2 Critical: GNUTLS Design Flaw Affecting CA Certificates
debian
February 28, 2009
Changes in DSA-1719-1 caused GNUTLS to reject X.509v1 certificates as CA root certificates by default, as originally described in the documentation
Topics Covered
Summary
Changes in DSA-1719-1 caused GNUTLS to reject X.509v1 certificates as
CA root certificates by default, as originally described in the
documentation. However, it turned out that there is still significant
use of historic X.509v1 CA root certificates, so this constitutes an
unacceptable regression. This update reverses this part of the
changes in DSA-1719-1. Note that the X.509v1 certificate format does
not distinguish between server and CA certificates, which means that
an X.509v1 server certificates is implicitly converted into a CA
certificate when added to the trust store (which was the reason for
the change in DSA-1719-1).
The current stable distribution (lenny) was released with the changes
in DSA-1719-1 already applied, and this update reverses the changes
concerning X.509v1 CA certificates for this distribution, too.
For the old stable distribution (etch), this problem has been fixed in
version 1.4.4-3+etch4.
For the stable distribution (lenny), this problem has been fixed in
version 2.4.2...
PREVIOUS
NEXT
Severity
critical
Lowest
Low
Medium
High
Critical
Package: gnutls13, gnutls26
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!