Package name
gnutls
Date
2009-12-03
Advisory ID
MDVSA-2009:308
Affected versions
2008.0 i586 , 2008.0 x86_64

Problem description

Multiple vulnerabilities has been found and corrected in gnutls:

gnutls-cli in GnuTLS before 2.6.6 does not verify the activation
and expiration times of X.509 certificates, which allows remote
attackers to successfully present a certificate that is (1) not yet
valid or (2) no longer valid, related to lack of time checks in the
_gnutls_x509_verify_certificate function in lib/x509/verify.c in
libgnutls_x509, as used by (a) Exim, (b) OpenLDAP, and (c) libsoup
(CVE-2009-1417).

A vulnerability have been discovered and corrected in GnuTLS
before 2.8.2, which could allow man-in-the-middle attackers to spoof
arbitrary SSL servers via a crafted certificate issued by a legitimate
Certification Authority (CVE-2009-2730).

Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers

This update fixes this vulnerability.

Updated packages

2008.0 i586

 b0476297b05fee1e5379a8826905757f  2008.0/i586/gnutls-2.0.0-2.4mdv2008.0.i586.rpm
 31f117592b8dcb5c3b80b8fde7d2cf2b  2008.0/i586/libgnutls13-2.0.0-2.4mdv2008.0.i586.rpm
 f9580a96c2b938a67ffc821b4536ce05  2008.0/i586/libgnutls-devel-2.0.0-2.4mdv2008.0.i586.rpm 
 2d4a130600be226d1ace20f6de574edb  2008.0/SRPMS/gnutls-2.0.0-2.4mdv2008.0.src.rpm

2008.0 x86_64

 c36eb24563dc027a84aee5f7b4e0e792  2008.0/x86_64/gnutls-2.0.0-2.4mdv2008.0.x86_64.rpm
 3e58a09629aac586a5f1697063d04421  2008.0/x86_64/lib64gnutls13-2.0.0-2.4mdv2008.0.x86_64.rpm
 58fbcf88685697a5a2a7959fbd84420d  2008.0/x86_64/lib64gnutls-devel-2.0.0-2.4mdv2008.0.x86_64.rpm 
 2d4a130600be226d1ace20f6de574edb  2008.0/SRPMS/gnutls-2.0.0-2.4mdv2008.0.src.rpm

References