Candidate: CVE-2009-1417 PublicDate: 2009-04-30 20:30:00 UTC References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1417 http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3517 Description: gnutls-cli in GnuTLS before 2.6.6 does not verify the activation and expiration times of X.509 certificates, which allows remote attackers to successfully present a certificate that is (1) not yet valid or (2) no longer valid, related to lack of time checks in the _gnutls_x509_verify_certificate function in lib/x509/verify.c in libgnutls_x509, as used by (a) Exim, (b) OpenLDAP, and (c) libsoup. Ubuntu-Description: Notes: jdstrand> from Debian: "[lenny] - gnutls26 (Minor issue, explicitly labeled as a test program)" jdstrand> from upstream: "We are concerned that changing the semantics of an existing function in this way may be seen as backwards incompatible, but we believe having a default-secure mode should carry more weight here." jdstrand> problem is that while gnutls-cli does report the expiration properly, it does not exit with error if the certificate is not active or expired. The upstream patches are not backwards compatible and the risk of regression in changing the library far outweighs the security benefit of applying this patch to adjust the return code for gnutls-bin. It is possible to adjust the return code of gnutls-bin, but this would require diverging from upstream and causing maintenance problems down the road. Bugs: Priority: low Discovered-by: Assigned-to: CVSS: Patches_gnutls11: upstream_gnutls11: needs-triage dapper_gnutls11: ignored hardy_gnutls11: DNE intrepid_gnutls11: DNE jaunty_gnutls11: DNE devel_gnutls11: DNE Patches_gnutls12: upstream_gnutls12: needs-triage dapper_gnutls12: ignored hardy_gnutls12: DNE intrepid_gnutls12: DNE jaunty_gnutls12: DNE devel_gnutls12: DNE Patches_gnutls13: upstream_gnutls13: needs-triage dapper_gnutls13: DNE hardy_gnutls13: ignored intrepid_gnutls13: DNE jaunty_gnutls13: DNE devel_gnutls13: DNE Patches_gnutls26: upstream_gnutls26: released (2.6.6-1) dapper_gnutls26: DNE hardy_gnutls26: DNE intrepid_gnutls26: ignored jaunty_gnutls26: ignored devel_gnutls26: not-affected (2.6.6-1)