- Document the recent chain validation vulnerability in gnutls.

PR: ports/128868 Submitted by: Eygene Ryabinkin <rea-fbsd@codelabs.ru> (based on)
svn path=/head/; revision=222918
2008-11-16 09:59:35 +00:00 · 2008-11-16 09:59:35 +00:00 · 4a689e2dfb · 2021-03-31 03:12:20 +00:00
commit 4a689e2dfb
parent fc50450e56
1 changed files with 32 additions and 0 deletions
--- a/security/vuxml/vuln.xml
+++ b/security/vuxml/vuln.xml
@ -34,6 +34,38 @@ Note:  Please add new entries to the beginning of this file.

 -->
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+  <vuln vid="45298931-b3bf-11dd-80f8-001cc0377035">
+    <topic>gnutls -- X.509 certificate chain validation vulnerability</topic>
+    <affects>
+      <package>
+	<name>gnutls</name>
+	<range><lt>2.4.2</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>SecurityFocus reports:</p>
+	<blockquote cite="http://www.securityfocus.com/bid/32232/discuss">
+	  <p>GnuTLS is prone to a security-bypass vulnerability because the
+	    application fails to properly validate chained X.509 certificates.
+	    Successfully exploiting this issue allows attackers to perform
+	    man-in-the-middle attacks by impersonating trusted servers.
+	    Unsuspecting users may be under a false sense of security that can
+	    aid attackers in launching further attacks.</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <bid>32232</bid>
+      <cvename>CVE-2008-4989</cvename>
+      <url>http://www.gnu.org/software/gnutls/security.html</url>
+      <mlist msgid="4918143A.3050103@gmx.net">http://lists.gnu.org/archive/html/gnutls-devel/2008-11/msg00017.html</mlist>
+    </references>
+    <dates>
+      <discovery>2008-11-10</discovery>
+      <entry>2008-11-16</entry>
+    </dates>
+  </vuln>
  <vuln vid="daf045d7-b211-11dd-a987-000c29ca8953">
    <topic>net-snmp -- DoS for SNMP agent via crafted GETBULK request</topic>
    <affects>