Package: libgnutls26 Version: 2.4.2-2 Severity: grave Tags: security Justification: user security hole
redhat has just released an update that fixes a security flaw in gnutls [1]. the CVE page [2] indicates that the issue is currently reserved, but redhat describes the problem as: Martin von Gagern discovered a flaw in the way GnuTLS verified certificate chains provided by a server. A malicious server could use this flaw to spoof its identity by tricking client applications using the GnuTLS library to trust invalid certificates. (CVE-2008-4989) redhat describes this as a "moderate severity" issue, so i assume that this should be tracked as medium-urgency in debian. it is not clear which versions are affected. the redhat updates are only for their enterprise (rhel 5) version, which is gnutls 1.4.1. [1] https://rhn.redhat.com/errata/RHSA-2008-0982.html [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4989 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
