[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Analysis of vulnerability GNUTLS-SA-2008-3 CVE-2008-4989
From: |
Simon Josefsson |
Subject: |
Re: Analysis of vulnerability GNUTLS-SA-2008-3 CVE-2008-4989 |
Date: |
Mon, 10 Nov 2008 19:34:46 +0100 |
User-agent: |
Gnus/5.110011 (No Gnus v0.11) Emacs/22.2 (gnu/linux) |
Andreas Metzler <address@hidden> writes:
> On 2008-11-10 Martin von Gagern <address@hidden> wrote:
>> This is an analysis fo the GNU TLS vulnerability recently published as
>> GNUTLS-SA-2008-3 and CVE-2008-4989.
>
>> I found a bug in GNU TLS which breaks X.509 certificate chain
>> verification. This allows a man in the middle to assume any name and
>> trick GNU TLS clients into trusting that name.
> [...]
>
> This seems to apply to every recent gnutls version (at least even
> 1.4.4 shows the same output. Can you confirm that?
Yes, the buggy code is rather old so it affects many versions.
/Simon