[v2.4] gnutls: Certificate verification issue (CVE-2014-1959, CVE-2014-0092)
Details from http://www.gnutls.org/security.html\#GNUTLS-SA-2014-2
CVE-2014-0092 Certificate verification issue
GNUTLS-SA-2014-2
A vulnerability was discovered that affects the certificate verification functions of all gnutls versions. A specially crafted certificate could bypass certificate validation checks. The vulnerability was discovered during an audit of GnuTLS for Red Hat.
Who is affected by this attack?
Anyone using certificate authentication in any version of GnuTLS.
How to mitigate the attack?
Upgrade to the latest GnuTLS version (3.2.12 or 3.1.22), or apply the patch for GnuTLS 2.12.x.
CVE-2014-1959 Certificate verification issue
GNUTLS-SA-2014-1
Suman Jana reported a vulnerability that affects the certificate verification functions of gnutls 2.11.5 and later versions. A version 1 intermediate certificate will be considered as a CA certificate by default (something that deviates from the documented behavior).
Who is affected by this attack?
Anyone who has a CA that issues X.509 version 1 certificates in his trusted list.
How to mitigate the attack?
Apply this patch or upgrade to the latest GnuTLS version (3.2.11 or 3.1.21).
(from redmine: issue id 2726, created on 2014-03-05, closed on 2014-03-05)
- Relations:
- copied_to #2725 (closed)
- parent #2722 (closed)
- Changesets:
- Revision 18c70cf5 by Natanael Copa on 2014-03-05T09:31:57Z:
main/gnutls: security fix for CVE-2014-0092 and CVE-2014-1959
fixes #2726