CVE-2009-1417

2009-04-3000:00:00

ubuntu.com

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

0.006 Low

EPSS

Percentile

78.7%

JSON

gnutls-cli in GnuTLS before 2.6.6 does not verify the activation and
expiration times of X.509 certificates, which allows remote attackers to
successfully present a certificate that is (1) not yet valid or (2) no
longer valid, related to lack of time checks in the
_gnutls_x509_verify_certificate function in lib/x509/verify.c in
libgnutls_x509, as used by (a) Exim, (b) OpenLDAP, and © libsoup.

Notes

Author	Note
jdstrand	from Debian: “[lenny] - gnutls26 <no-dsa> (Minor issue, explicitly labeled as a test program)” from upstream: “We are concerned that changing the semantics of an existing function in this way may be seen as backwards incompatible, but we believe having a default-secure mode should carry more weight here.” problem is that while gnutls-cli does report the expiration properly, it does not exit with error if the certificate is not active or expired. The upstream patches are not backwards compatible and the risk of regression in changing the library far outweighs the security benefit of applying this patch to adjust the return code for gnutls-bin. It is possible to adjust the return code of gnutls-bin, but this would require diverging from upstream and causing maintenance problems down the road.

Author

Note

jdstrand

from Debian: “[lenny] - gnutls26 <no-dsa> (Minor issue, explicitly labeled as a test program)” from upstream: “We are concerned that changing the semantics of an existing function in this way may be seen as backwards incompatible, but we believe having a default-secure mode should carry more weight here.” problem is that while gnutls-cli does report the expiration properly, it does not exit with error if the certificate is not active or expired. The upstream patches are not backwards compatible and the risk of regression in changing the library far outweighs the security benefit of applying this patch to adjust the return code for gnutls-bin. It is possible to adjust the return code of gnutls-bin, but this would require diverging from upstream and causing maintenance problems down the road.