rpms/gnutls/F-9 gnutls-1.4.1-cve-2008-4989.patch, NONE, 1.1 gnutls.spec, 1.32, 1.33
Tomáš Mráz
tmraz at fedoraproject.org
Tue Nov 11 13:17:00 UTC 2008
- Previous message: rpms/PackageKit/F-9 PackageKit-0.3.8-Fedora-Vendor.conf.patch, NONE, 1.1 .cvsignore, 1.26, 1.27 PackageKit.spec, 1.52, 1.53 sources, 1.27, 1.28 pk-check-what-requires-search-string.patch, 1.1, NONE pk-dont-blacklist-apostrophes.patch, 1.1, NONE pk-dont-stop-at-first-package.patch, 1.1, NONE pk-handle-restart-x64.patch, 1.1, NONE pk-network-fallback-use-zero-destination.patch, 1.1, NONE pk-ship-yum-install-signature.patch, 1.1, NONE pk-test-local-files-correctly.patch, 1.1, NONE pk-yum-api-broken-fingerprint-now-function.patch, 1.1, NONE
- Next message: rpms/getmail/F-9 .cvsignore, 1.4, 1.5 getmail.spec, 1.3, 1.4 sources, 1.4, 1.5
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: tmraz
Update of /cvs/pkgs/rpms/gnutls/F-9
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv24752
Modified Files:
gnutls.spec
Added Files:
gnutls-1.4.1-cve-2008-4989.patch
Log Message:
* Tue May 20 2008 Tomas Mraz <tmraz at redhat.com> 2.0.4-3
- fix three security issues in gnutls handshake - GNUTLS-SA-2008-1
(#447461, #447462, #447463)
gnutls-1.4.1-cve-2008-4989.patch:
--- NEW FILE gnutls-1.4.1-cve-2008-4989.patch ---
diff -up gnutls-1.4.1/lib/x509/verify.c.chain-verify gnutls-1.4.1/lib/x509/verify.c
--- gnutls-1.4.1/lib/x509/verify.c.chain-verify 2008-11-11 10:55:19.000000000 +0100
+++ gnutls-1.4.1/lib/x509/verify.c 2008-11-11 10:58:54.000000000 +0100
@@ -379,6 +379,17 @@ _gnutls_x509_verify_certificate (const g
int i = 0, ret;
unsigned int status = 0, output;
+ /* Check if the last certificate in the path is self signed.
+ * In that case ignore it (a certificate is trusted only if it
+ * leads to a trusted party by us, not the server's).
+ */
+ if (clist_size > 1 &&
+ gnutls_x509_crt_check_issuer (certificate_list[clist_size - 1],
+ certificate_list[clist_size - 1]) > 0)
+ {
+ clist_size--;
+ }
+
/* Verify the last certificate in the certificate path
* against the trusted CA certificate list.
*
@@ -417,17 +428,6 @@ _gnutls_x509_verify_certificate (const g
}
#endif
- /* Check if the last certificate in the path is self signed.
- * In that case ignore it (a certificate is trusted only if it
- * leads to a trusted party by us, not the server's).
- */
- if (gnutls_x509_crt_check_issuer (certificate_list[clist_size - 1],
- certificate_list[clist_size - 1]) > 0
- && clist_size > 0)
- {
- clist_size--;
- }
-
/* Verify the certificate path (chain)
*/
for (i = clist_size - 1; i > 0; i--)
Index: gnutls.spec
===================================================================
RCS file: /cvs/pkgs/rpms/gnutls/F-9/gnutls.spec,v
retrieving revision 1.32
retrieving revision 1.33
diff -u -r1.32 -r1.33
--- gnutls.spec 20 May 2008 11:57:02 -0000 1.32
+++ gnutls.spec 11 Nov 2008 13:16:29 -0000 1.33
@@ -1,7 +1,7 @@
Summary: A TLS protocol implementation
Name: gnutls
Version: 2.0.4
-Release: 3%{?dist}
+Release: 4%{?dist}
# The libgnutls library is LGPLv2+, utilities and remaining libraries are GPLv2+
License: GPLv2+ and LGPLv2+
Group: System Environment/Libraries
@@ -16,6 +16,7 @@
Source1: libgnutls-config
Patch0: gnutls-2.0.4-nosrp.patch
Patch4: gnutls-1.4.1-sa-2008-1.patch
+Patch5: gnutls-1.4.1-cve-2008-4989.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
Requires: libgcrypt >= 1.2.2
@@ -58,6 +59,7 @@
%setup -q
%patch0 -p1 -b .nosrp
%patch4 -p1 -b .sa-2008-1
+%patch5 -p1 -b .chain-verify
for i in auth_srp_rsa.c auth_srp_sb64.c auth_srp_passwd.c auth_srp.c gnutls_srp.c ext_srp.c; do
touch lib/$i
@@ -126,6 +128,9 @@
%{_mandir}/man1/*
%changelog
+* Tue Nov 11 2008 Tomas Mraz <tmraz at redhat.com> 2.0.4-4
+- fix chain verification issue CVE-2008-4989 (#470079)
+
* Tue May 20 2008 Tomas Mraz <tmraz at redhat.com> 2.0.4-3
- fix three security issues in gnutls handshake - GNUTLS-SA-2008-1
(#447461, #447462, #447463)
- Previous message: rpms/PackageKit/F-9 PackageKit-0.3.8-Fedora-Vendor.conf.patch, NONE, 1.1 .cvsignore, 1.26, 1.27 PackageKit.spec, 1.52, 1.53 sources, 1.27, 1.28 pk-check-what-requires-search-string.patch, 1.1, NONE pk-dont-blacklist-apostrophes.patch, 1.1, NONE pk-dont-stop-at-first-package.patch, 1.1, NONE pk-handle-restart-x64.patch, 1.1, NONE pk-network-fallback-use-zero-destination.patch, 1.1, NONE pk-ship-yum-install-signature.patch, 1.1, NONE pk-test-local-files-correctly.patch, 1.1, NONE pk-yum-api-broken-fingerprint-now-function.patch, 1.1, NONE
- Next message: rpms/getmail/F-9 .cvsignore, 1.4, 1.5 getmail.spec, 1.3, 1.4 sources, 1.4, 1.5
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the scm-commits
mailing list