Debian DSA-1935-1 Critical: gnutls Remote Attack Mitigation
debian
November 17, 2009
Dan Kaminsky and Moxie Marlinspike discovered that gnutls, an implementation of the TLS/SSL protocol, does not properly handle a '\0' character in a domain name in the subject's Co...
Topics Covered
Summary
Dan Kaminsky and Moxie Marlinspike discovered that gnutls, an implementation of
the TLS/SSL protocol, does not properly handle a '\0' character in a domain name
in the subject's Common Name or Subject Alternative Name (SAN) field of an X.509
certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL
servers via a crafted certificate issued by a legitimate Certification
Authority. (CVE-2009-2730)
In addition, with this update, certificates with MD2 hash signatures are no
longer accepted since they're no longer considered cryptograhically secure. It
only affects the oldstable distribution (etch).(CVE-2009-2409)
For the oldstable distribution (etch), these problems have been fixed in version
1.4.4-3+etch5 for gnutls13.
For the stable distribution (lenny), these problems have been fixed in version
2.4.2-6+lenny2 for gnutls26.
For the testing distribution (squeeze), and the unstable distribution (sid),
these problems have been fixed in version 2.8.3-1 for gnutls26.
We recommend that ...
PREVIOUS 
NEXT Severity
critical
Lowest
Low
Medium
High
Critical
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!