It was found an issue in certificate validation using OCSP responses caused by not verifying the serial length, which can falsely report a certificate as valid. Upstream patch: https://gitlab.com/gnutls/gnutls/commit/964632f37dfdfb914ebc5e49db4fa29af35b1de9 External References: https://www.gnutls.org/security.html https://lists.gnupg.org/pipermail/gnutls-devel/2016-September/008146.html
Created mingw-gnutls tracking bugs for this issue: Affects: fedora-all [bug 1374269] Affects: epel-7 [bug 1374270]
Created gnutls tracking bugs for this issue: Affects: fedora-all [bug 1374267]
gnutls-3.5.4-1.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.
gnutls-3.4.15-1.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
gnutls-3.4.15-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
mingw-gnutls-3.5.4-1.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.
CVE assignment: http://seclists.org/oss-sec/2016/q3/549
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2017:2292 https://access.redhat.com/errata/RHSA-2017:2292