Package: lynx-cur, libgnutls26 Severity: serious Tags: security Hi,
There is a test site for checking the gnutls bug: https://gnutls.notary.icsi.berkeley.edu/ I can connect to it and get the message: If you see this without getting a certificate error you are vulnerable against the GnuTLS bug I can reproduce this with the following combinations: stable: ii libgnutls26:amd64 2.12.20-8+deb7u2 ii lynx-cur 2.8.8dev.12-2 And testing: ii libgnutls26:amd64 2.12.23-16 ii lynx-cur 2.8.8pre5-1 Using gnutls-bin gnutls-bin 3.0.22-3+really2.12.20-8+deb7u2 I also get: $ gnutls-cli -p 443 gnutls.notary.icsi.berkeley.edu --x509cafile /etc/ssl/certs/ca-certificates.crt Processed 159 CA certificate(s). Resolving 'gnutls.notary.icsi.berkeley.edu'... Connecting to '192.150.187.13:443'... *** Verifying server certificate failed... *** Fatal error: Error in the certificate. *** Handshake has failed GnuTLS error: Error in the certificate. While with 3.3.2-2 I get: $ gnutls-cli -p 443 gnutls.notary.icsi.berkeley.edu --x509cafile /etc/ssl/certs/ca-certificates.crt Processed 168 CA certificate(s). Resolving 'gnutls.notary.icsi.berkeley.edu'... Connecting to '192.150.187.13:443'... - Certificate type: X.509 - Got a certificate list of 2 certificates. - Certificate[0] info: - subject `CN=gnutls.notary.icsi.berkeley.edu,OU=ICSI GnuTLS Crt,O=ICSI GnuTLS Test Cert.', issuer `C=US,ST=Arizona,L=Scottsdale,O=GoDaddy.com\, Inc.,OU=http://certificates.godaddy.com/repository,CN=Go Daddy Secure Certification Authority,serialNumber=07969287', RSA key 2048 bits, signed using RSA-SHA1, activated `2010-08-28 14:51:35 UTC', expires `2015-08-28 14:51:35 UTC', SHA-1 fingerprint `b20c942cd0dd72cd5a02b697ba6862064727f3d9' Public Key ID: c9952718d6b2c42cd432b9d8c0f0730ab3286c9d Public key's random art: +--[ RSA 2048]----+ | .o ..=o. | | .o =.*o.. | | o o+.*.o+ . | |...+o+o..o o | |oo.E. S | |o | | | | | | | +-----------------+ - Certificate[1] info: - subject `C=US,ST=Arizona,L=Scottsdale,O=GoDaddy.com\, Inc.,OU=http://certificates.godaddy.com/repository,CN=Go Daddy Secure Certification Authority,serialNumber=07969287', issuer `C=US,O=The Go Daddy Group\, Inc.,OU=Go Daddy Class 2 Certification Authority', RSA key 2048 bits, signed using RSA-SHA1, activated `2006-11-16 01:54:37 UTC', expires `2026-11-16 01:54:37 UTC', SHA-1 fingerprint `7c4656c3061f7f4c0d67b319a855f60ebc11fc44' - Status: The certificate is NOT trusted. The certificate issuer is not a CA. *** PKI verification of server certificate failed... *** Fatal error: Error in the certificate. *** Handshake has failed GnuTLS error: Error in the certificate. The 3.3.2-2 version is linked to libgnutls28 of course. Kurt -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
