Analysis of vulnerability GNUTLS-SA-2008-3 CVE-2008-4989

Simon Josefsson simon at josefsson.org
Mon Nov 10 19:34:46 CET 2008


Andreas Metzler <ametzler at downhill.at.eu.org> writes:

> On 2008-11-10 Martin von Gagern <Martin.vGagern at gmx.net> wrote:
>> This is an analysis fo the GNU TLS vulnerability recently published as
>> GNUTLS-SA-2008-3 and CVE-2008-4989.
>
>> I found a bug in GNU TLS which breaks X.509 certificate chain
>> verification. This allows a man in the middle to assume any name and
>> trick GNU TLS clients into trusting that name.
> [...]
>
> This seems to apply to every recent gnutls version (at least even
> 1.4.4 shows the same output. Can you confirm that?

Yes, the buggy code is rather old so it affects many versions.

/Simon





More information about the Gnutls-devel mailing list