Your submission was sent successfully! Close

CVE-2009-1417

Published: 30 April 2009

gnutls-cli in GnuTLS before 2.6.6 does not verify the activation and expiration times of X.509 certificates, which allows remote attackers to successfully present a certificate that is (1) not yet valid or (2) no longer valid, related to lack of time checks in the _gnutls_x509_verify_certificate function in lib/x509/verify.c in libgnutls_x509, as used by (a) Exim, (b) OpenLDAP, and (c) libsoup.

Priority

Low

Status

Package Release Status
gnutls11
Launchpad, Ubuntu, Debian
dapper Ignored

hardy Does not exist

intrepid Does not exist

jaunty Does not exist

karmic Does not exist

upstream Needs triage

gnutls12
Launchpad, Ubuntu, Debian
dapper Ignored

hardy Does not exist

intrepid Does not exist

jaunty Does not exist

karmic Does not exist

upstream Needs triage

gnutls13
Launchpad, Ubuntu, Debian
dapper Does not exist

hardy Ignored

intrepid Does not exist

jaunty Does not exist

karmic Does not exist

upstream Needs triage

gnutls26
Launchpad, Ubuntu, Debian
dapper Does not exist

hardy Does not exist

intrepid Ignored

jaunty Ignored

karmic Not vulnerable
(2.6.6-1)
upstream
Released (2.6.6-1)

Notes

AuthorNote
jdstrand
from Debian: "[lenny] - gnutls26 <no-dsa> (Minor issue, explicitly
labeled as a test program)"
from upstream: "We are concerned that changing the semantics of an
existing function in this way may be seen as backwards incompatible, but we
believe having a default-secure mode should carry more weight here."
problem is that while gnutls-cli does report the expiration
properly, it does not exit with error if the certificate is not active
or expired. The upstream patches are not backwards compatible and the
risk of regression in changing the library far outweighs the security
benefit of applying this patch to adjust the return code for gnutls-bin.
It is possible to adjust the return code of gnutls-bin, but this would
require diverging from upstream and causing maintenance problems down the
road.

References