Your message dated Mon, 16 Mar 2009 23:16:43 -0400
with message-id <20090316231643.bab4c3f0.michael.s.gilb...@gmail.com>
and subject line closing
has caused the Debian Bug report #505469,
regarding libgnutls26: CVE-2008-4989 security flaw in certificate chain
verification
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
505469: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=505469
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: libgnutls26
Version: 2.4.2-2
Severity: grave
Tags: security
Justification: user security hole
redhat has just released an update that fixes a security flaw in gnutls [1].
the CVE page [2] indicates that the issue is currently reserved, but redhat
describes the problem as:
Martin von Gagern discovered a flaw in the way GnuTLS verified certificate
chains provided by a server. A malicious server could use this flaw to
spoof its identity by tricking client applications using the GnuTLS library
to trust invalid certificates. (CVE-2008-4989)
redhat describes this as a "moderate severity" issue, so i assume that this
should be tracked as medium-urgency in debian.
it is not clear which versions are affected. the redhat updates are only
for their enterprise (rhel 5) version, which is gnutls 1.4.1.
[1] https://rhn.redhat.com/errata/RHSA-2008-0982.html
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4989
--- End Message ---
--- Begin Message ---
this was fixed in dsa-1719 and gnutls13 no longer exists in unstable.
--- End Message ---
