[prev in list] [next in list] [prev in thread] [next in thread]
List: gnutls-dev
Subject: Re: Analysis of vulnerability GNUTLS-SA-2008-3 CVE-2008-4989
From: Simon Josefsson <simon () josefsson ! org>
Date: 2008-11-10 18:34:46
Message-ID: 87prl32zw9.fsf () mocca ! josefsson ! org
[Download RAW message or body]
Andreas Metzler <ametzler@downhill.at.eu.org> writes:
> On 2008-11-10 Martin von Gagern <Martin.vGagern@gmx.net> wrote:
>> This is an analysis fo the GNU TLS vulnerability recently published as
>> GNUTLS-SA-2008-3 and CVE-2008-4989.
>
>> I found a bug in GNU TLS which breaks X.509 certificate chain
>> verification. This allows a man in the middle to assume any name and
>> trick GNU TLS clients into trusting that name.
> [...]
>
> This seems to apply to every recent gnutls version (at least even
> 1.4.4 shows the same output. Can you confirm that?
Yes, the buggy code is rather old so it affects many versions.
/Simon
_______________________________________________
Gnutls-devel mailing list
Gnutls-devel@gnu.org
http://lists.gnu.org/mailman/listinfo/gnutls-devel
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic