Processing commands for [EMAIL PROTECTED]: > # On 2008-11-11 Michael Gilbert <[EMAIL PROTECTED]> wrote: > # > Package: libgnutls26 > # > Version: 2.4.2-2 > # > Severity: grave > # > Tags: security > # > Justification: user security hole > # > # > redhat has just released an update that fixes a security flaw in gnutls > [1]. > # > the CVE page [2] indicates that the issue is currently reserved, but > redhat > # > describes the problem as: > # > # > Martin von Gagern discovered a flaw in the way GnuTLS verified > certificate > # > chains provided by a server. A malicious server could use this flaw to > # > spoof its identity by tricking client applications using the GnuTLS > library > # > to trust invalid certificates. (CVE-2008-4989) > # > # > redhat describes this as a "moderate severity" issue, so i assume that > this > # > should be tracked as medium-urgency in debian. > # > # > it is not clear which versions are affected. the redhat updates are only > # > for their enterprise (rhel 5) version, which is gnutls 1.4.1. > # > # > [1] https://rhn.redhat.com/errata/RHSA-2008-0982.html > # > [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4989 > # Bug applies to every gnutls26 upload, mark it as found in first > # upload to unstable. > found 505360 2.2.1-2 Bug#505360: libgnutls26: CVE-2008-4989 security flaw in certificate chain verification Bug marked as found in version 2.2.1-2.
> # This bug is already fixed in the version you reported the bug > # against. > notfound 505360 2.4.2-2 Bug#505360: libgnutls26: CVE-2008-4989 security flaw in certificate chain verification Bug no longer marked as found in version 2.4.2-2. > clone 505360 -1 Bug#505360: libgnutls26: CVE-2008-4989 security flaw in certificate chain verification Bug 505360 cloned as bug 505469. > close 505360 2.4.2-2 Bug#505360: libgnutls26: CVE-2008-4989 security flaw in certificate chain verification 'close' is deprecated; see http://www.debian.org/Bugs/Developer#closing. Bug marked as fixed in version 2.4.2-2, send any further explanations to "Michael Gilbert" <[EMAIL PROTECTED]> > # Bug also applies to gnutls13 > reassign -1 libgnutls13 Bug#505469: libgnutls26: CVE-2008-4989 security flaw in certificate chain verification Bug reassigned from package `libgnutls26' to `libgnutls13'. > found -1 1.4.4-3 Bug#505469: libgnutls26: CVE-2008-4989 security flaw in certificate chain verification Bug marked as found in version 1.4.4-3. > thanks Stopping processing here. Please contact me if you need assistance. Debian bug tracking system administrator (administrator, Debian Bugs database) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
