[SECURITY] [DSA 1333-1] New libcurl3-gnutls packages fix certificate handling

------------------------------------------------------------------------ Debian Security Advisory DSA-1333 [email protected] http://www.debian.org/security/ Steve Kemp July 18th, 2007 - ------------------------------------------------------------------------ Package : libcurl3-gnutls...

Design/Logic Flaw

libcurl 7.14.0 through 7.16.3, when built with GnuTLS support, does not check SSL/TLS certificate expiration or activation dates, which allows remote attackers to bypass certain access restrictions...

CVE-2007-3564

libcurl 7.14.0 through 7.16.3, when built with GnuTLS support, does not check SSL/TLS certificate expiration or activation dates, which allows remote attackers to bypass certain access restrictions...

CVE-2007-3564

libcurl 7.14.0 through 7.16.3, when built with GnuTLS support, does not check SSL/TLS certificate expiration or activation dates, which allows remote attackers to bypass certain access restrictions...

CVE-2007-3564

libcurl 7.14.0 through 7.16.3, when built with GnuTLS support, does not check SSL/TLS certificate expiration or activation dates, which allows remote attackers to bypass certain access restrictions...

CVE-2007-3564

libcurl 7.14.0 through 7.16.3, when built with GnuTLS support, does not check SSL/TLS certificate expiration or activation dates, which allows remote attackers to bypass certain access restrictions...

CVE-2007-3564

CVE-2007-3564 affects libcurl versions 7.14.0–7.16.3 built with GnuTLS, where certificate expiration/activation dates are not checked, enabling bypass of access restrictions. Connected advisories note fixed packages: Debian/etch update to curl libcurl3-gnutls (e.g., 7.15.5-1etch1) and Ubuntu/Debi...

CVE-2007-3564

libcurl 7.14.0 through 7.16.3, when built with GnuTLS support, does not check SSL/TLS certificate expiration or activation dates, which allows remote attackers to bypass certain access restrictions...

DSA-1333-1 curl

Bulletin has no description...

USN-484-1: curl vulnerability

It was discovered that the GnuTLS certificate verification methods implemented in Curl did not check for expiration and activation dates. When performing validations, tools using libcurl3-gnutls would incorrectly allow connections to sites using expired certificates...

CURL-CVE-2007-3564 GnuTLS insufficient cert verification

libcurl when built to use GnuTLS fails to verify that a peer's certificate has not already expired or has not yet become valid. This allows malicious servers to present certificates to libcurl that were not rejected properly. Notably, the CA certificate and common name checks are still in place...

SUSE-SA:2006:055: openssl,mozilla-nss

The remote host is missing the patch for the advisory SUSE-SA:2006:055 openssl,mozilla-nss. If an RSA key with exponent 3 is used it may be possible to forge a PKCS verify the certificate if they are not checking for excess data in the RSA exponentiation result of the signature. This problems...

Mandrake Linux Security Advisory : gnutls (MDKSA-2006:166)

verify.c in GnuTLS before 1.4.4, when using an RSA key with exponent 3, does not properly handle excess data in the digestAlgorithm.parameters field when generating a hash, which allows remote attackers to forge a PKCS 1 v1.5 signature that is signed by that RSA key and prevents GnuTLS from...

Fedora Core 5 : gnutls-1.2.10-3 (2006-974)

Thu Sep 14 2006 Tomas Mraz 1.2.10-3 - detect forged signatures - CVE-2006-4790 206411, patch from upstream - Tue May 16 2006 Tomas Mraz - 1.2.10-2 - added missing buildrequires Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security...

Important gnutls security update

1.0.20-3.2.3 - detect forged signatures - CVE-2006-4790 206411, patch backported from upstream...

FreeBSD : gnutls -- RSA Signature Forgery Vulnerability (64bf6234-520d-11db-8f1a-000a48049292)

Secunia reports : A vulnerability has been reported in GnuTLS, which can be exploited by malicious people to bypass certain security restrictions. The vulnerability is caused due to an error in the verification of certain signatures. If a RSA key with exponent 3 is used, it may be possible to for...

GLSA-200609-15 : GnuTLS: RSA Signature Forgery

The remote host is affected by the vulnerability described in GLSA-200609-15 GnuTLS: RSA Signature Forgery verify.c fails to properly handle excess data in digestAlgorithm.parameters field while generating a hash when using an RSA key with exponent 3. RSA keys that use exponent 3 are commonplace...

GnuTLS: RSA Signature Forgery

Background GnuTLS is an implementation of SSL 3.0 and TLS 1.0. Description verify.c fails to properly handle excess data in digestAlgorithm.parameters field while generating a hash when using an RSA key with exponent 3. RSA keys that use exponent 3 are commonplace. Impact Remote attackers could...

CentOS 4 : gnutls (CESA-2006:0680)

Updated gnutls packages that fix a security issue are now available for Red Hat Enterprise Linux 4. This update has been rated as having important security impact by the Red Hat Security Response Team. The GnuTLS Library provides support for cryptographic algorithms and protocols such as TLS...

USN-348-1: GnuTLS vulnerability

The GnuTLS library did not sufficiently check the padding of PKCS 1 v1.5 signatures if the exponent of the public key is 3 which is widely used for CAs. This could be exploited to forge signatures without the need of the secret key...