It was reported that all versions of GnuTLS did not check whether the two signature algorithms match on certificate import.
There are no known attacks that could lead to a forged certificate because of that, but the possibility of it is not eliminated either (it depends on whether there can be cross-signature attacks).
Upstream commit that fix this:
Upstream test case:
This issue is fixed in upstream gnutls-3.3.13
This issue was addressed in Fedora 21 via the following security advisory:
This issue was addressed in Fedora 22 via the following security advisory:
This issue affects the version of gnutls package as shipped with Red Hat Enterprise Linux 7. Red Hat Product Security has rated this issue as having Low security impact. This issue is not currently planned to be addressed in future updates.
This issue affects the version of gnutls package as shipped with Red Hat Enterprise Linux 5. Red Hat Enterprise Linux 5 is now in Extended Life Cycle phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.
This issue was discovered by Nikos Mavrogiannopoulos of the Red Hat Security Technologies Team.
This issue has been addressed in the following products:
Red Hat Enterprise Linux 6
Via RHSA-2015:1457 https://rhn.redhat.com/errata/RHSA-2015-1457.html