Debian Security Advisory
DSA-2866-1 gnutls26 -- certificate verification flaw
- Date Reported:
- 22 Feb 2014
- Affected Packages:
- gnutls26
- Vulnerable:
- Yes
- Security database references:
- In Mitre's CVE dictionary: CVE-2014-1959.
- More information:
-
Suman Jana reported that GnuTLS, deviating from the documented behavior, considers a version 1 intermediate certificate as a CA certificate by default.
The oldstable distribution (squeeze) is not affected by this problem as X.509 version 1 trusted CA certificates are not allowed by default.
For the stable distribution (wheezy), this problem has been fixed in version 2.12.20-8.
For the testing distribution (jessie) and the unstable distribution (sid), this problem has been fixed in version 2.12.23-12.
We recommend that you upgrade your gnutls26 packages.