Карточка уязвимости
Характеристики уязвимости
Уровень опасности
Оценка CVSS
(AV:N/AC:M/Au:N/C:N/I:P/A:N)
Производитель ПО
Наименование ПО
gnutls
(Unknown)
Описание
Функция _gnutls_x509_verify_certificate в lib/x509/verify.c в libgnutls в GnuTLS доверяет цепочке сертификатов, если последний сертификат цепочки самоподписанный сертификат, что позволяет злоумышленникам внедрить сертификат, который подменен, в Distinguished Name (DN).
Как исправить
Для устранения уязвимости необходимо установить последнюю версию продукта, соответствующую используемой платформе. Необходимую информацию можно получить по адресу:
http://www.gnu.org/software/gnutls/
http://www.gnu.org/software/gnutls/
Ссылки
BID (32232): http://www.securityfocus.com/bid/32232
MLIST ([gnutls-devel] 20081110 GnuTLS 2.6.1 - Security release [GNUTLS-SA-2008-3]): http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3215
FEDORA (FEDORA-2008-9600): https://www.redhat.com/archives/fedora-package-announce/2008-November/msg00293.html
FEDORA (FEDORA-2008-9530): https://www.redhat.com/archives/fedora-package-announce/2008-November/msg00222.html
XF (gnutls-x509-name-spoofing(46482)): http://xforce.iss.net/xforce/xfdb/46482
VUPEN (ADV-2009-1567): http://www.vupen.com/english/advisories/2009/1567
UBUNTU (USN-678-1): http://www.ubuntulinux.org/support/documentation/usn/usn-678-1
UBUNTU (USN-678-2): http://www.ubuntu.com/usn/usn-678-2
SECTRACK (1021167): http://www.securitytracker.com/id?1021167
REDHAT (RHSA-2008:0982): http://www.redhat.com/support/errata/RHSA-2008-0982.html
MANDRIVA (MDVSA-2008:227): http://www.mandriva.com/security/advisories?name=MDVSA-2008:227
CONFIRM (http://www.gnu.org/software/gnutls/security.html): http://www.gnu.org/software/gnutls/security.html
VUPEN (ADV-2008-3086): http://www.frsirt.com/english/advisories/2008/3086
DEBIAN (DSA-1719): http://www.debian.org/security/2009/dsa-1719
SUNALERT (260528): http://sunsolve.sun.com/search/document.do?assetkey=1-26-260528-1
GENTOO (GLSA-200901-10): http://security.gentoo.org/glsa/glsa-200901-10.xml
SUSE (SUSE-SR:2009:009): http://lists.opensuse.org/opensuse-security-announce/2009-04/msg00010.html
SUSE (SUSE-SR:2008:027): http://lists.opensuse.org/opensuse-security-announce/2008-12/msg00002.html
MLIST ([gnutls-devel] 20081110 Analysis of vulnerability GNUTLS-SA-2008-3 CVE-2008-4989): http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3217
MLIST ([gnutls-devel] 20081110 GnuTLS 2.6.1 - Security release [GNUTLS-SA-2008-3]): http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3215
FEDORA (FEDORA-2008-9600): https://www.redhat.com/archives/fedora-package-announce/2008-November/msg00293.html
FEDORA (FEDORA-2008-9530): https://www.redhat.com/archives/fedora-package-announce/2008-November/msg00222.html
XF (gnutls-x509-name-spoofing(46482)): http://xforce.iss.net/xforce/xfdb/46482
VUPEN (ADV-2009-1567): http://www.vupen.com/english/advisories/2009/1567
UBUNTU (USN-678-1): http://www.ubuntulinux.org/support/documentation/usn/usn-678-1
UBUNTU (USN-678-2): http://www.ubuntu.com/usn/usn-678-2
SECTRACK (1021167): http://www.securitytracker.com/id?1021167
REDHAT (RHSA-2008:0982): http://www.redhat.com/support/errata/RHSA-2008-0982.html
MANDRIVA (MDVSA-2008:227): http://www.mandriva.com/security/advisories?name=MDVSA-2008:227
CONFIRM (http://www.gnu.org/software/gnutls/security.html): http://www.gnu.org/software/gnutls/security.html
VUPEN (ADV-2008-3086): http://www.frsirt.com/english/advisories/2008/3086
DEBIAN (DSA-1719): http://www.debian.org/security/2009/dsa-1719
SUNALERT (260528): http://sunsolve.sun.com/search/document.do?assetkey=1-26-260528-1
GENTOO (GLSA-200901-10): http://security.gentoo.org/glsa/glsa-200901-10.xml
SUSE (SUSE-SR:2009:009): http://lists.opensuse.org/opensuse-security-announce/2009-04/msg00010.html
SUSE (SUSE-SR:2008:027): http://lists.opensuse.org/opensuse-security-announce/2008-12/msg00002.html
MLIST ([gnutls-devel] 20081110 Analysis of vulnerability GNUTLS-SA-2008-3 CVE-2008-4989): http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3217