Bug 863989 (CVE-2014-1959) - VUL-0: CVE-2014-1959: gnutls: Certificate verification issue
Summary: VUL-0: CVE-2014-1959: gnutls: Certificate verification issue
Status: RESOLVED FIXED
Alias: CVE-2014-1959
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/96187/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-02-14 10:44 UTC by Alexander Bergmann
Modified: 2014-02-26 11:00 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2014-02-14 10:44:38 UTC 
Via OSS:12127 and rhn#1065092:

Suman Jana reported a vulnerability that affects the certificate verification functions of gnutls 3.1.x and gnutls 3.2.x. A version 1 intermediate certificate will be considered as a CA certificate by default (something that deviates from the documented behavior).

Who is affected by this attack?

Anyone who has a CA that issues X.509 version 1 certificates in his trusted list.

How to mitigate the attack?

Apply this patch or upgrade to the latest GnuTLS version (3.2.11 or 3.1.21).

https://www.gitorious.org/gnutls/gnutls/commit/b1abfe3d182d68539900092eb42fc62cf1bb7e7c

CVE-2014-1959 was assigned to this issue.

References:
http://comments.gmane.org/gmane.comp.security.oss.general/12127
https://www.gitorious.org/gnutls/gnutls/commit/b1abfe3d18
https://bugzilla.redhat.com/show_bug.cgi?id=1065092
Comment 2 Bernhard Wiedemann 2014-02-14 13:00:43 UTC 
This is an autogenerated message for OBS integration:
This bug (863989) was mentioned in
https://build.opensuse.org/request/show/222335 Factory / gnutls
Comment 3 Swamp Workflow Management 2014-02-14 23:00:26 UTC 
bugbot adjusting priority
Comment 4 Shawn Chang 2014-02-19 09:37:43 UTC 
Reassigning to security-team