Security Information / 2014 / Security Information -- DSA-2866-1 gnutls26

Debian Security Advisory

DSA-2866-1 gnutls26 -- certificate verification flaw

Date Reported:

22 Feb 2014

Affected Packages:

gnutls26

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2014-1959.

More information:

Suman Jana reported that GnuTLS, deviating from the documented behavior, considers a version 1 intermediate certificate as a CA certificate by default.

The oldstable distribution (squeeze) is not affected by this problem as X.509 version 1 trusted CA certificates are not allowed by default.

For the stable distribution (wheezy), this problem has been fixed in version 2.12.20-8.

For the testing distribution (jessie) and the unstable distribution (sid), this problem has been fixed in version 2.12.23-12.

We recommend that you upgrade your gnutls26 packages.