CVE-2014-1959
First published: Wed Feb 12 2014(Updated: )
It was reported [1] that a version 1 intermediate certificate would be considered as a CA certificate by GnuTLS by default. This certificate verification behaviour deviates from the documented behaviour. Upstream notes that this only affects individuals or organizations who have a CA that issues X.509 version 1 certificates in their trusted list. This has been fixed upstream [2] in version 3.1.21 and 3.2.11. At a quick look at the code of GnuTLS 2.8.5, it is affected. 1.4.1 looks affected to me as well. [1] <a href="http://www.gnutls.org/security.html">http://www.gnutls.org/security.html</a> [2] <a href="https://www.gitorious.org/gnutls/gnutls/commit/b1abfe3d18">https://www.gitorious.org/gnutls/gnutls/commit/b1abfe3d18</a>
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/gnutls | <3.1.21 | 3.1.21 |
| redhat/gnutls | <3.2.11 | 3.2.11 |
| GNU GnuTLS | <=3.1.20 | |
| GNU GnuTLS | =3.1.0 | |
| GNU GnuTLS | =3.1.1 | |
| GNU GnuTLS | =3.1.2 | |
| GNU GnuTLS | =3.1.3 | |
| GNU GnuTLS | =3.1.4 | |
| GNU GnuTLS | =3.1.5 | |
| GNU GnuTLS | =3.1.6 | |
| GNU GnuTLS | =3.1.7 | |
| GNU GnuTLS | =3.1.8 | |
| GNU GnuTLS | =3.1.9 | |
| GNU GnuTLS | =3.1.10 | |
| GNU GnuTLS | =3.1.11 | |
| GNU GnuTLS | =3.1.12 | |
| GNU GnuTLS | =3.1.13 | |
| GNU GnuTLS | =3.1.14 | |
| GNU GnuTLS | =3.1.15 | |
| GNU GnuTLS | =3.1.16 | |
| GNU GnuTLS | =3.1.17 | |
| GNU GnuTLS | =3.1.18 | |
| GNU GnuTLS | =3.1.19 | |
| GNU GnuTLS | <=3.2.10 | |
| GNU GnuTLS | =3.2.0 | |
| GNU GnuTLS | =3.2.1 | |
| GNU GnuTLS | =3.2.2 | |
| GNU GnuTLS | =3.2.3 | |
| GNU GnuTLS | =3.2.4 | |
| GNU GnuTLS | =3.2.5 | |
| GNU GnuTLS | =3.2.6 | |
| GNU GnuTLS | =3.2.7 | |
| GNU GnuTLS | =3.2.8 | |
| GNU GnuTLS | =3.2.8.1 | |
| GNU GnuTLS | =3.2.9 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2014-1959 https://nvd.nist.gov/vuln/detail/CVE-2014-1959
- https://bugzilla.redhat.com/show_bug.cgi?id=1065092
- https://access.redhat.com/security/cve/CVE-2014-1959
- http://www.gnutls.org/security.html
- https://www.gitorious.org/gnutls/gnutls/commit/b1abfe3d18
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1065096
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1065094
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1065095
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1065092#c0
- https://gitorious.org/gnutls/gnutls/source/bd4ba0556de1120adfa1ce10caaeeaead49b323a:tests/chainverify.c#L52
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1065092#c11
- https://access.redhat.com/security/cve/CVE-2009-5138
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1069301
- http://seclists.org/oss-sec/2014/q1/344
- http://seclists.org/oss-sec/2014/q1/345
- http://www.debian.org/security/2014/dsa-2866
- http://www.securityfocus.com/bid/65559
- http://www.ubuntu.com/usn/USN-2121-1
- https://www.gitorious.org/gnutls/gnutls/commit/b1abfe3d182d68539900092eb42fc62cf1bb7e7c
- collector/redhat-cve
- collector/redhat-bugzilla
- alias/CVE-2014-1959
- agent/type
- agent/event
- agent/last-modified-date
- agent/first-publish-date
- collector/nvd-index
- agent/software-canonical-lookup-request
- agent/author
- agent/remedy
- agent/references
- agent/weakness
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/description
- collector/mitre-cve
- source/MITRE
- package-manager/redhat
- vendor/gnu
- canonical/gnu gnutls
- version/gnu gnutls/3.1.20
- version/gnu gnutls/3.1.0
- version/gnu gnutls/3.1.1
- version/gnu gnutls/3.1.2
- version/gnu gnutls/3.1.3
- version/gnu gnutls/3.1.4
- version/gnu gnutls/3.1.5
- version/gnu gnutls/3.1.6
- version/gnu gnutls/3.1.7
- version/gnu gnutls/3.1.8
- version/gnu gnutls/3.1.9
- version/gnu gnutls/3.1.10
- version/gnu gnutls/3.1.11
- version/gnu gnutls/3.1.12
- version/gnu gnutls/3.1.13
- version/gnu gnutls/3.1.14
- version/gnu gnutls/3.1.15
- version/gnu gnutls/3.1.16
- version/gnu gnutls/3.1.17
- version/gnu gnutls/3.1.18
- version/gnu gnutls/3.1.19
- version/gnu gnutls/3.2.10
- version/gnu gnutls/3.2.0
- version/gnu gnutls/3.2.1
- version/gnu gnutls/3.2.2
- version/gnu gnutls/3.2.3
- version/gnu gnutls/3.2.4
- version/gnu gnutls/3.2.5
- version/gnu gnutls/3.2.6
- version/gnu gnutls/3.2.7
- version/gnu gnutls/3.2.8
- version/gnu gnutls/3.2.8.1
- version/gnu gnutls/3.2.9