FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

CVE-2008-4989

This CVE name corresponds to:

Entered Topic
2008-11-16 gnutls -- X.509 certificate chain validation vulnerability

The following information is adapted from the Common Vulnerabilities and Exposures (CVE) project. CVE and the CVE logo are trademarks of The MITRE Corporation. CVE content is Copyright 2005, The MITRE Corporation.

Details

Type Candidate
Name CVE-2008-4989
Phase Assigned(20081106)

Description

The _gnutls_x509_verify_certificate function in lib/x509/verify.c in libgnutls in GnuTLS before 2.6.1 trusts certificate chains in which the last certificate is an arbitrary trusted, self-signed certificate, which allows man-in-the-middle attackers to insert a spoofed certificate for any Distinguished Name (DN).

References

Source Reference
BUGTRAQ 20081117 rPSA-2008-0322-1 gnutls
MLIST [gnutls-devel] 20081110 Analysis of vulnerability GNUTLS-SA-2008-3 CVE-2008-4989
MLIST [gnutls-devel] 20081110 GnuTLS 2.6.1 - Security release [GNUTLS-SA-2008-3]
CONFIRM http://www.gnu.org/software/gnutls/security.html
CONFIRM http://wiki.rpath.com/Advisories:rPSA-2008-0322
CONFIRM https://issues.rpath.com/browse/RPL-2886
DEBIAN DSA-1719
FEDORA FEDORA-2008-9530
FEDORA FEDORA-2008-9600
GENTOO GLSA-200901-10
MANDRIVA MDVSA-2008:227
REDHAT RHSA-2008:0982
SUNALERT 260528
SUSE SUSE-SR:2008:027
SUSE SUSE-SR:2009:009
UBUNTU USN-678-1
UBUNTU USN-678-2
BID 32232
OVAL oval:org.mitre.oval:def:11650
SECTRACK 1021167
SECUNIA 35423
SECUNIA 32687
VUPEN ADV-2008-3086
SECUNIA 32619
SECUNIA 32879
SECUNIA 32681
SECUNIA 33501
SECUNIA 33694
VUPEN ADV-2009-1567
XF gnutls-x509-name-spoofing(46482)