CVE-2009-1417

Publication date 30 April 2009

Last updated 24 July 2024


Ubuntu priority

gnutls-cli in GnuTLS before 2.6.6 does not verify the activation and expiration times of X.509 certificates, which allows remote attackers to successfully present a certificate that is (1) not yet valid or (2) no longer valid, related to lack of time checks in the _gnutls_x509_verify_certificate function in lib/x509/verify.c in libgnutls_x509, as used by (a) Exim, (b) OpenLDAP, and (c) libsoup.

Read the notes from the security team

Status

Package Ubuntu Release Status
gnutls11 9.04 jaunty Not in release
8.10 intrepid Not in release
8.04 LTS hardy Not in release
6.06 LTS dapper Ignored
gnutls12 9.04 jaunty Not in release
8.10 intrepid Not in release
8.04 LTS hardy Not in release
6.06 LTS dapper Ignored
gnutls13 9.04 jaunty Not in release
8.10 intrepid Not in release
8.04 LTS hardy Ignored
6.06 LTS dapper Not in release
gnutls26 9.04 jaunty Ignored
8.10 intrepid Ignored
8.04 LTS hardy Not in release
6.06 LTS dapper Not in release

Notes


jdstrand

from Debian: "[lenny] - gnutls26 <no-dsa> (Minor issue, explicitly labeled as a test program)" from upstream: "We are concerned that changing the semantics of an existing function in this way may be seen as backwards incompatible, but we believe having a default-secure mode should carry more weight here." problem is that while gnutls-cli does report the expiration properly, it does not exit with error if the certificate is not active or expired. The upstream patches are not backwards compatible and the risk of regression in changing the library far outweighs the security benefit of applying this patch to adjust the return code for gnutls-bin. It is possible to adjust the return code of gnutls-bin, but this would require diverging from upstream and causing maintenance problems down the road.