Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1196323 - (CVE-2015-0294) CVE-2015-0294 gnutls: certificate algorithm consistency checking issue
CVE-2015-0294 gnutls: certificate algorithm consistency checking issue
Status: CLOSED WONTFIX
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20150227,reported=2...
: Security
Depends On: 1198159 1205501 1205502
Blocks: 1194368
  Show dependency treegraph
 
Reported: 2015-02-25 12:12 EST by Vasyl Kaigorodov
Modified: 2016-12-02 01:10 EST (History)
18 users (show)

See Also:
Fixed In Version: GnuTLS 3.3.13
Doc Type: Bug Fix
Doc Text:
It was discovered that GnuTLS did not check if all sections of X.509 certificates indicate the same signature algorithm. This flaw, in combination with a different flaw, could possibly lead to a bypass of the certificate signature check.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-08-03 02:34:34 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:1457 normal SHIPPED_LIVE Moderate: gnutls security and bug fix update 2015-07-21 10:15:08 EDT

  None (edit)
Description Vasyl Kaigorodov 2015-02-25 12:12:56 EST 
It was reported that all versions of GnuTLS did not check whether the two signature algorithms match on certificate import.

There are no known attacks that could lead to a forged certificate because of that, but the possibility of it is not eliminated either (it depends on whether there can be cross-signature attacks).

Upstream commit that fix this:

https://gitlab.com/gnutls/gnutls/commit/6e76e9b9fa845b76b0b9a45f05f4b54a052578ff
Comment 7 Huzaifa S. Sidhpurwala 2015-03-25 00:40:51 EDT 
This issue is fixed in upstream gnutls-3.3.13

This issue was addressed in Fedora 21 via the following security advisory:
https://admin.fedoraproject.org/updates/FEDORA-2015-2986/gnutls-3.3.13-1.fc21

This issue was addressed in Fedora 22 via the following security advisory:
https://admin.fedoraproject.org/updates/FEDORA-2015-4276/gnutls-3.3.13-1.fc22
Comment 8 Huzaifa S. Sidhpurwala 2015-03-25 00:42:24 EDT 
Statement:

This issue affects the version of gnutls package as shipped with Red Hat Enterprise Linux 7. Red Hat Product Security has rated this issue as having Low security impact. This issue is not currently planned to be addressed in future updates.

This issue affects the version of gnutls package as shipped with Red Hat Enterprise Linux 5. Red Hat Enterprise Linux 5 is now in Extended Life Cycle phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.
Comment 9 Huzaifa S. Sidhpurwala 2015-03-25 00:45:05 EDT 
Acknowledgment:

This issue was discovered by Nikos Mavrogiannopoulos of the Red Hat Security Technologies Team.
Comment 11 errata-xmlrpc 2015-07-22 02:02:35 EDT 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2015:1457 https://rhn.redhat.com/errata/RHSA-2015-1457.html
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.