CVE-2009-1417
Publication date 30 April 2009
Last updated 24 July 2024
Ubuntu priority
gnutls-cli in GnuTLS before 2.6.6 does not verify the activation and expiration times of X.509 certificates, which allows remote attackers to successfully present a certificate that is (1) not yet valid or (2) no longer valid, related to lack of time checks in the _gnutls_x509_verify_certificate function in lib/x509/verify.c in libgnutls_x509, as used by (a) Exim, (b) OpenLDAP, and (c) libsoup.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| gnutls11 | ||
| gnutls12 | ||
| gnutls13 | ||
| gnutls26 | ||
Notes
jdstrand
from Debian: "[lenny] - gnutls26 <no-dsa> (Minor issue, explicitly labeled as a test program)" from upstream: "We are concerned that changing the semantics of an existing function in this way may be seen as backwards incompatible, but we believe having a default-secure mode should carry more weight here." problem is that while gnutls-cli does report the expiration properly, it does not exit with error if the certificate is not active or expired. The upstream patches are not backwards compatible and the risk of regression in changing the library far outweighs the security benefit of applying this patch to adjust the return code for gnutls-bin. It is possible to adjust the return code of gnutls-bin, but this would require diverging from upstream and causing maintenance problems down the road.