MDVSA-2009:308
- Package name
- gnutls
- Date
- 2009-12-03
- Advisory ID
- MDVSA-2009:308
- Affected versions
- 2008.0 i586 , 2008.0 x86_64
Problem description
Multiple vulnerabilities has been found and corrected in gnutls:
gnutls-cli in GnuTLS before 2.6.6 does not verify the activation
and expiration times of X.509 certificates, which allows remote
attackers to successfully present a certificate that is (1) not yet
valid or (2) no longer valid, related to lack of time checks in the
_gnutls_x509_verify_certificate function in lib/x509/verify.c in
libgnutls_x509, as used by (a) Exim, (b) OpenLDAP, and (c) libsoup
(CVE-2009-1417).
A vulnerability have been discovered and corrected in GnuTLS
before 2.8.2, which could allow man-in-the-middle attackers to spoof
arbitrary SSL servers via a crafted certificate issued by a legitimate
Certification Authority (CVE-2009-2730).
Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers
This update fixes this vulnerability.
Updated packages
2008.0 i586
b0476297b05fee1e5379a8826905757f 2008.0/i586/gnutls-2.0.0-2.4mdv2008.0.i586.rpm 31f117592b8dcb5c3b80b8fde7d2cf2b 2008.0/i586/libgnutls13-2.0.0-2.4mdv2008.0.i586.rpm f9580a96c2b938a67ffc821b4536ce05 2008.0/i586/libgnutls-devel-2.0.0-2.4mdv2008.0.i586.rpm 2d4a130600be226d1ace20f6de574edb 2008.0/SRPMS/gnutls-2.0.0-2.4mdv2008.0.src.rpm
2008.0 x86_64
c36eb24563dc027a84aee5f7b4e0e792 2008.0/x86_64/gnutls-2.0.0-2.4mdv2008.0.x86_64.rpm 3e58a09629aac586a5f1697063d04421 2008.0/x86_64/lib64gnutls13-2.0.0-2.4mdv2008.0.x86_64.rpm 58fbcf88685697a5a2a7959fbd84420d 2008.0/x86_64/lib64gnutls-devel-2.0.0-2.4mdv2008.0.x86_64.rpm 2d4a130600be226d1ace20f6de574edb 2008.0/SRPMS/gnutls-2.0.0-2.4mdv2008.0.src.rpm