Bug 1196323 (CVE-2015-0294)
Summary: | CVE-2015-0294 gnutls: certificate algorithm consistency checking issue | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Vasyl Kaigorodov <vkaigoro> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED WONTFIX | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | acathrow, alonbl, bazulay, bmcclain, carnil, cfergeau, dblechte, ecohen, gklein, idith, iheim, jrusnack, lsurette, michal.skrivanek, nmavrogi, rbalakri, security-response-team, yeylon |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | GnuTLS 3.3.13 | Doc Type: | Bug Fix |
Doc Text: |
It was discovered that GnuTLS did not check if all sections of X.509 certificates indicate the same signature algorithm. This flaw, in combination with a different flaw, could possibly lead to a bypass of the certificate signature check.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2015-08-03 06:34:34 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1198159, 1205501, 1205502 | ||
Bug Blocks: | 1194368 |
Description
Vasyl Kaigorodov
2015-02-25 17:12:56 UTC
Upstream test case: https://gitlab.com/gnutls/gnutls/commit/ca35341243dc2ba13cd703d25becea5da293bc35 This issue is fixed in upstream gnutls-3.3.13 This issue was addressed in Fedora 21 via the following security advisory: https://admin.fedoraproject.org/updates/FEDORA-2015-2986/gnutls-3.3.13-1.fc21 This issue was addressed in Fedora 22 via the following security advisory: https://admin.fedoraproject.org/updates/FEDORA-2015-4276/gnutls-3.3.13-1.fc22 Statement: This issue affects the version of gnutls package as shipped with Red Hat Enterprise Linux 7. Red Hat Product Security has rated this issue as having Low security impact. This issue is not currently planned to be addressed in future updates. This issue affects the version of gnutls package as shipped with Red Hat Enterprise Linux 5. Red Hat Enterprise Linux 5 is now in Extended Life Cycle phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/. Acknowledgment: This issue was discovered by Nikos Mavrogiannopoulos of the Red Hat Security Technologies Team. This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2015:1457 https://rhn.redhat.com/errata/RHSA-2015-1457.html |