CVE-2009-2730
Published: 12 August 2009
libgnutls in GnuTLS before 2.8.2 does not properly handle a '\0' character in a domain name in the subject's (1) Common Name (CN) or (2) Subject Alternative Name (SAN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.
Notes
Author | Note |
---|---|
jdstrand | patches in order: http://git.savannah.gnu.org/cgit/gnutls.git/commit/?h=gnutls_2_8_x&id=a431be86124f900c4082e82d32917f86fcce461a http://git.savannah.gnu.org/cgit/gnutls.git/commit/?h=gnutls_2_8_x&id=74b6d92f9675ce4e03642c4d6ced4a3a614b07f6 http://git.savannah.gnu.org/cgit/gnutls.git/commit/?h=gnutls_2_8_x&id=40081594e3de518b998f3e5177ed5a9f7707f2e8 http://git.savannah.gnu.org/cgit/gnutls.git/patch/?id=5a58e9d33448235377afd5fbfcee1683dc70eae3 http://git.savannah.gnu.org/cgit/gnutls.git/patch/?id=1ea190d216767dd4ab93b87361cbcb9d4fb3aafc |
Priority
Status
Package | Release | Status |
---|---|---|
gnutls11 Launchpad, Ubuntu, Debian |
dapper |
Ignored
(end of life)
|
hardy |
Does not exist
|
|
intrepid |
Does not exist
|
|
jaunty |
Does not exist
|
|
karmic |
Does not exist
|
|
upstream |
Needs triage
|
|
gnutls12 Launchpad, Ubuntu, Debian |
dapper |
Released
(1.2.9-2ubuntu1.7)
|
hardy |
Does not exist
|
|
intrepid |
Does not exist
|
|
jaunty |
Does not exist
|
|
karmic |
Does not exist
|
|
upstream |
Needs triage
|
|
gnutls13 Launchpad, Ubuntu, Debian |
dapper |
Does not exist
|
hardy |
Released
(2.0.4-1ubuntu2.6)
|
|
intrepid |
Does not exist
|
|
jaunty |
Does not exist
|
|
karmic |
Does not exist
|
|
upstream |
Needs triage
|
|
gnutls26 Launchpad, Ubuntu, Debian |
dapper |
Does not exist
|
hardy |
Does not exist
|
|
intrepid |
Released
(2.4.1-1ubuntu0.4)
|
|
jaunty |
Released
(2.4.2-6ubuntu0.1)
|
|
karmic |
Released
(2.6.6-1ubuntu1)
|
|
upstream |
Released
(2.8.3)
|
|
Patches: upstream: http://lists.gnu.org/archive/html/help-gnutls/2009-08/msg00011.html |