CVE-2008-4989

Published: 12 November 2008

The _gnutls_x509_verify_certificate function in lib/x509/verify.c in libgnutls in GnuTLS before 2.6.1 trusts certificate chains in which the last certificate is an arbitrary trusted, self-signed certificate, which allows man-in-the-middle attackers to insert a spoofed certificate for any Distinguished Name (DN).

Priority

Medium

Status

Package Release Status
gnutls11
Launchpad, Ubuntu, Debian
Upstream Needs triage

Patches:
Vendor: https://rhn.redhat.com/errata/RHSA-2008-0982.html
gnutls12
Launchpad, Ubuntu, Debian
Upstream Needs triage

gnutls13
Launchpad, Ubuntu, Debian
Upstream Needs triage

gnutls26
Launchpad, Ubuntu, Debian
Upstream
Released (2.4.2-3)