On 2009-01-29 Steve Langasek <steve.langa...@canonical.com> wrote: > Hi Andreas,
> > is this the issue that is also being discussed in > > http://news.gmane.org/find-root.php?message_id=%3c49654581.3020505%40anl.gov%3e > > or is it the original submitter a different one than Douglas E. > > Engert? > That looks to be the same issue, though Douglas is not who submitted the bug > to Ubuntu (and I don't see any record of his bug ever having made it to > Ubuntu). Thanks for the pointer to this! Do you think you'll be applying > this patch to the Debian package soon? Looks release-critical to me, given > that it breaks validation of valid (and well-known) CAs. Hello, I am not sure this is serious. Douglas' bug applies to X509 v1 CA certs, which afaiui are rare. http://news.gmane.org/find-root.php?message_id=%3c20090110155632.10ba0626%40nmav%2deee%3e Gnutls is documented to not trust this type of certificates unless a special flag is set, afaict the bug is about the fact that gnutls distrusted them even if the flag was set. Even fixing this did not help Douglas, since it would have required changing nss-ldap to pass the flag. Douglas later posted a feature enhancement patch that makes GnuTLS stop when an intermediate CA cert is found on the trusted CA list. http://news.gmane.org/find-root.php?message_id=%3c496BA38D.90104%40anl.gov%3e The patch has not yet been reviewed positively - I think upstream first needs to see the copyright assignment done. cu and- Just found that you posted essentially the same summary to https://bugs.launchpad.net/ubuntu/+source/gnutls12/+bug/305264 -reas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
