Analysis of vulnerability GNUTLS-SA-2008-3 CVE-2008-4989
simon at josefsson.org
Mon Nov 10 19:34:46 CET 2008
Andreas Metzler <ametzler at downhill.at.eu.org> writes:
> On 2008-11-10 Martin von Gagern <Martin.vGagern at gmx.net> wrote:
>> This is an analysis fo the GNU TLS vulnerability recently published as
>> GNUTLS-SA-2008-3 and CVE-2008-4989.
>> I found a bug in GNU TLS which breaks X.509 certificate chain
>> verification. This allows a man in the middle to assume any name and
>> trick GNU TLS clients into trusting that name.
> This seems to apply to every recent gnutls version (at least even
> 1.4.4 shows the same output. Can you confirm that?
Yes, the buggy code is rather old so it affects many versions.
More information about the Gnutls-devel