CVE-2009-2730

Publication date 12 August 2009

Last updated 24 July 2024


Ubuntu priority

libgnutls in GnuTLS before 2.8.2 does not properly handle a '\0' character in a domain name in the subject's (1) Common Name (CN) or (2) Subject Alternative Name (SAN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.

Read the notes from the security team

Status

Package Ubuntu Release Status
gnutls11 9.10 karmic Not in release
9.04 jaunty Not in release
8.10 intrepid Not in release
8.04 LTS hardy Not in release
6.06 LTS dapper Ignored end of life
gnutls12 9.10 karmic Not in release
9.04 jaunty Not in release
8.10 intrepid Not in release
8.04 LTS hardy Not in release
6.06 LTS dapper
Fixed 1.2.9-2ubuntu1.7
gnutls13 9.10 karmic Not in release
9.04 jaunty Not in release
8.10 intrepid Not in release
8.04 LTS hardy
Fixed 2.0.4-1ubuntu2.6
6.06 LTS dapper Not in release
gnutls26 9.10 karmic
Fixed 2.6.6-1ubuntu1
9.04 jaunty
Fixed 2.4.2-6ubuntu0.1
8.10 intrepid
Fixed 2.4.1-1ubuntu0.4
8.04 LTS hardy Not in release
6.06 LTS dapper Not in release

Notes


jdstrand

patches in order: http://git.savannah.gnu.org/cgit/gnutls.git/commit/?h=gnutls_2_8_x&id=a431be86124f900c4082e82d32917f86fcce461a http://git.savannah.gnu.org/cgit/gnutls.git/commit/?h=gnutls_2_8_x&id=74b6d92f9675ce4e03642c4d6ced4a3a614b07f6 http://git.savannah.gnu.org/cgit/gnutls.git/commit/?h=gnutls_2_8_x&id=40081594e3de518b998f3e5177ed5a9f7707f2e8 http://git.savannah.gnu.org/cgit/gnutls.git/patch/?id=5a58e9d33448235377afd5fbfcee1683dc70eae3 http://git.savannah.gnu.org/cgit/gnutls.git/patch/?id=1ea190d216767dd4ab93b87361cbcb9d4fb3aafc

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package Patch details
gnutls26

References

Related Ubuntu Security Notices (USN)

    • USN-809-1
    • GnuTLS vulnerabilities
    • 19 August 2009

Other references