First published: Thu Sep 08 2016(Updated: )
It was found an issue in certificate validation using OCSP responses caused by not verifying the serial length, which can falsely report a certificate as valid. Upstream patch: <a href="https://gitlab.com/gnutls/gnutls/commit/964632f37dfdfb914ebc5e49db4fa29af35b1de9">https://gitlab.com/gnutls/gnutls/commit/964632f37dfdfb914ebc5e49db4fa29af35b1de9</a> External References: <a href="https://www.gnutls.org/security.html">https://www.gnutls.org/security.html</a> <a href="https://lists.gnupg.org/pipermail/gnutls-devel/2016-September/008146.html">https://lists.gnupg.org/pipermail/gnutls-devel/2016-September/008146.html</a>
Credit: security@debian.org
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/gnutls | <3.4.15 | 3.4.15 |
redhat/gnutls | <3.5.4 | 3.5.4 |
GnuTLS | <=3.4.14 | |
GnuTLS | =3.5.0 | |
GnuTLS | =3.5.1 | |
GnuTLS | =3.5.2 | |
GnuTLS | =3.5.3 | |
debian/gnutls28 | 3.7.1-5+deb11u5 3.7.1-5+deb11u7 3.7.9-2+deb12u3 3.7.9-2+deb12u4 3.8.9-2 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2016-7444 is considered a critical vulnerability due to the potential for certificate validation bypass.
To mitigate CVE-2016-7444, upgrade GnuTLS to version 3.4.15 or later, or 3.5.4 or later.
CVE-2016-7444 affects multiple versions of GnuTLS including versions prior to 3.4.15 and certain versions of 3.5.x.
Exploiting CVE-2016-7444 may allow attackers to cause applications to incorrectly validate revoked certificates.
Yes, a patch for CVE-2016-7444 has been released and is available in the software updates for affected GnuTLS versions.