Hide Forgot
It was reported [1] that a version 1 intermediate certificate would be considered as a CA certificate by GnuTLS by default. This certificate verification behaviour deviates from the documented behaviour. Upstream notes that this only affects individuals or organizations who have a CA that issues X.509 version 1 certificates in their trusted list. This has been fixed upstream [2] in version 3.1.21 and 3.2.11. At a quick look at the code of GnuTLS 2.8.5, it is affected. 1.4.1 looks affected to me as well. [1] http://www.gnutls.org/security.html [2] https://www.gitorious.org/gnutls/gnutls/commit/b1abfe3d18
Created mingw-gnutls tracking bugs for this issue: Affects: fedora-all [bug 1065096]
Created gnutls tracking bugs for this issue: Affects: fedora-all [bug 1065094]
Created mingw32-gnutls tracking bugs for this issue: Affects: epel-5 [bug 1065095]
(In reply to Vincent Danen from comment #0) > At a quick look at the code of GnuTLS 2.8.5, it is affected. 1.4.1 looks > affected to me as well. The issue was introduced when v1 root certificates were allowed by default (2.11.5). Thus gnutls 2.8.5 or earlier are not affected since they do not allow X.509 v1 certificates by default.
Nikos, do you have any certificates that can easily be used to test this? Possibly something in the upstream test suite you'd recommend looking at?
I use the chain: https://gitorious.org/gnutls/gnutls/source/bd4ba0556de1120adfa1ce10caaeeaead49b323a:tests/chainverify.c#L52 It is a list of 3 certificates with a CA of version 1 as intermediate.
gnutls-3.1.20-3.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
gnutls-3.1.20-3.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
mingw-gnutls-3.1.21-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
mingw-gnutls-3.1.21-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
As mentioned in comment 11, this problem was introduced in upstream version 2.11.5. Therefore this did not affect gnutls packages as shipped with Red Hat Enterprise Linux 5 and 6. However, GnuTLS versions before 2.7.6 contained a different bug that had similar effect of making GnuTLS accept version 1 certificates as valid intermediate CA certificates when using default verification flags. That issue was assigned a different id CVE-2009-5138 and is tracked via bug 1069301. Statement: Not vulnerable. This issue did not affect the versions of gnutls as shipped with Red Hat Enterprise Linux 5 and 6.