From: [email protected]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------ Debian Security Advisory DSA-1719-1 [email protected] http://www.debian.org/security/ Florian Weimer February 10, 2009 http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package : gnutls13
Vulnerability : design flaw
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2008-4989
Debian Bug : 505360

Martin von Gagern discovered that GNUTLS, an implementation of the
TLS/SSL protocol, handles verification of X.509 certificate chains
incorrectly if a self-signed certificate is configured as a trusted certificate. This could cause clients to accept forged server
certificates as genuine. (CVE-2008-4989)

In addition, this update tightens the checks for X.509v1 certificates
which causes GNUTLS to reject certain certificate chains it accepted
before. (In certificate chain processing, GNUTLS does not recognize
X.509v1 certificates as valid unless explicitly requested by the
application.)

For the stable distribution (etch), this problem has been fixed in
version 1.4.4-3+etch3.

For the unstable distribution (sid), this problem has been fixed in
version 2.4.2-3 of the gnutls26 package.

We recommend that you upgrade your gnutls13 packages.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- -------------------------------

Source archives:

http://security.debian.org/pool/updates/main/g/gnutls13/gnutls13_1.4.4-3+etch2.dsc
Size/MD5 checksum: 967 97d676fb2a9de5a2706da79baf5fc53f
http://security.debian.org/pool/updates/main/g/gnutls13/gnutls13_1.4.4-3+etch3.diff.gz
Size/MD5 checksum: 20931 d1f9a5483e2ff3b6f799f14cc90e0ba4
http://security.debian.org/pool/updates/main/g/gnutls13/gnutls13_1.4.4.orig.tar.gz
Size/MD5 checksum: 4752009 c06ada020e2b69caa51833175d59f8b2
http://security.debian.org/pool/updates/main/g/gnutls13/gnutls13_1.4.4-3+etch2.diff.gz
Size/MD5 checksum: 19550 d362897a57e2bac2f059413ea29540be
http://security.debian.org/pool/updates/main/g/gnutls13/gnutls13_1.4.4-3+etch3.dsc
Size/MD5 checksum: 967 c523874d91b1d19b0a59c6d51ada21e6

Architecture independent packages:

http://security.debian.org/pool/updates/main/g/gnutls13/gnutls-doc_1.4.4-3+etch2_all.deb
Size/MD5 checksum: 2315360 2892fedc83604472a40cb9e16b64fad2
http://security.debian.org/pool/updates/main/g/gnutls13/gnutls-doc_1.4.4-3+etch3_all.deb
Size/MD5 checksum: 2315508 9fe5532897a55d3f8b2954a7294920e1

alpha architecture (DEC Alpha)

http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls13_1.4.4-3+etch3_alpha.deb
Size/MD5 checksum: 328102 19e0618dac4d13a9d284019365ef07f9
http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls13-dbg_1.4.4-3+etch2_alpha.deb
Size/MD5 checksum: 547328 0fc6cb94c0a9b65067fc17e0db0e4e7c
http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls-dev_1.4.4-3+etch2_alpha.deb
Size/MD5 checksum: 523950 a149137fe64abc4b7e33d66e1345b9c0
http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls-dev_1.4.4-3+etch3_alpha.deb
Size/MD5 checksum: 524034 0d510406095b7f9bf9dd06b74502c94a
http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls13_1.4.4-3+etch2_alpha.deb
Size/MD5 checksum: 327990 8b39649670392f353c183032aab1040b
http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls13-dbg_1.4.4-3+etch3_alpha.deb
Size/MD5 checksum: 547418 fd17990e04770d7447e6fd136cb0f726
http://security.debian.org/pool/updates/main/g/gnutls13/gnutls-bin_1.4.4-3+etch2_alpha.deb
Size/MD5 checksum: 196336 a2385c40d8118a84442449d7720d4437
http://security.debian.org/pool/updates/main/g/gnutls13/gnutls-bin_1.4.4-3+etch3_alpha.deb
Size/MD5 checksum: 196416 9b570f6739f2071ef8e857f897b0fe73

amd64 architecture (AMD x86_64 (AMD64))

http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls13_1.4.4-3+etch3_amd64.deb
Size/MD5 checksum: 314678 9a2fca4364ab01e77da051e1c637cace
http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls13-dbg_1.4.4-3+etch2_amd64.deb
Size/MD5 checksum: 538540 9bad40a6891bacf73ab92d492946439e
http://security.debian.org/pool/updates/main/g/gnutls13/gnutls-bin_1.4.4-3+etch2_amd64.deb
Size/MD5 checksum: 183432 04c381e380452347c0b8c866cd32a0d1
http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls13_1.4.4-3+etch2_amd64.deb
Size/MD5 checksum: 314542 bd3466107c5a3e81bae9fc6ce16b3f07
http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls-dev_1.4.4-3+etch3_amd64.deb
Size/MD5 checksum: 389192 7e1f1ee9b50dbe59303ee92d06d638f9
http://security.debian.org/pool/updates/main/g/gnutls13/gnutls-bin_1.4.4-3+etch3_amd64.deb
Size/MD5 checksum: 183526 deb90128a086f94d4213ae8d0ebb2aac
http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls-dev_1.4.4-3+etch2_amd64.deb
Size/MD5 checksum: 389078 937898ee8ebfbb6c96ec327182aa66c9
http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls13-dbg_1.4.4-3+etch3_amd64.deb
Size/MD5 checksum: 538694 30f0f5f5236de80b969ab142003facda

arm architecture (ARM)

http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls-dev_1.4.4-3+etch3_arm.deb
Size/MD5 checksum: 355130 d314daec4d8653d21f5aa755b133ce44
http://security.debian.org/pool/updates/main/g/gnutls13/gnutls-bin_1.4.4-3+etch2_arm.deb
Size/MD5 checksum: 169734 a0760138aa40ef409bebc45f21482fa6
http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls13_1.4.4-3+etch3_arm.deb
Size/MD5 checksum: 283218 86a51ac92283cf4d41f8b80e208d3ea0

[continued in next message]

--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)