Viewing all changes in revision 9.
- Committer: Bazaar Package Importer
- Date: 2009-08-18 14:21:17 UTC
- Revision ID: james.westby@ubuntu.com-20090818142117-mnvl1dyhym6ur7la
* SECURITY UPDATE: fix improper handling of '\0' in Common Name (CN) and
Subject Alternative Name (SAN) in X.509 certificates (LP: #413136)
- debian/patches/91_CVE-2009-2730.diff: verify length of CN and SAN
are what we expect and error out if either contains an embedded \0.
This fixed required fixing gnutls_x509_crt_check_hostname() to not
"treat absence of CN in subject as a successful RFC 2818 hostname"
This fix also required updating _gnutls_hostname_compare() in
lib/x509/rfc2818_hostname.c to support wide wildcard hostname and ip
address matching. This is a backward compatible change and which only
adds additional matching of hostnames.
- CVE-2009-2730
Subject Alternative Name (SAN) in X.509 certificates (LP: #413136)
- debian/patches/91_CVE-2009-2730.diff: verify length of CN and SAN
are what we expect and error out if either contains an embedded \0.
This fixed required fixing gnutls_x509_crt_check_hostname() to not
"treat absence of CN in subject as a successful RFC 2818 hostname"
This fix also required updating _gnutls_hostname_compare() in
lib/x509/rfc2818_hostname.c to support wide wildcard hostname and ip
address matching. This is a backward compatible change and which only
adds additional matching of hostnames.
- CVE-2009-2730
- files added:
- debian/patches/91_CVE-2009-2730.diff
- files modified:
- debian/changelog
expand all
collapse all
added
removed
