Launchpad CVE tracker

CVE 2008-4989

The _gnutls_x509_verify_certificate function in lib/x509/verify.c in libgnutls in GnuTLS before 2.6.1 trusts certificate chains in which the last certificate is an arbitrary trusted, self-signed certificate, which allows man-in-the-middle attackers to insert a spoofed certificate for any Distinguished Name (DN).

Related bugs and status

CVE-2008-4989 (Candidate) is related to these bugs:

Bug #305264: gnutls regression: failure in certificate chain validation

		In	Importance	Status
305264	gnutls regression: failure in certificate chain validation	gnutls12 (Ubuntu)	High	Invalid
305264	gnutls regression: failure in certificate chain validation	Landscape Server	High	Invalid
305264	gnutls regression: failure in certificate chain validation	Landscape Client	High	Invalid
305264	gnutls regression: failure in certificate chain validation	gnutls13 (Ubuntu)	High	Invalid
305264	gnutls regression: failure in certificate chain validation	gnutls26 (Ubuntu)	High	Fix Released
305264	gnutls regression: failure in certificate chain validation	gnutls12 (Ubuntu Intrepid)	Undecided	Invalid
305264	gnutls regression: failure in certificate chain validation	gnutls13 (Ubuntu Intrepid)	Undecided	Invalid
305264	gnutls regression: failure in certificate chain validation	gnutls26 (Ubuntu Intrepid)	High	Fix Released
305264	gnutls regression: failure in certificate chain validation	gnutls12 (Ubuntu Jaunty)	High	Invalid
305264	gnutls regression: failure in certificate chain validation	gnutls13 (Ubuntu Jaunty)	High	Invalid
305264	gnutls regression: failure in certificate chain validation	gnutls26 (Ubuntu Jaunty)	High	Fix Released
305264	gnutls regression: failure in certificate chain validation	gnutls12 (Ubuntu Dapper)	Undecided	Fix Released
305264	gnutls regression: failure in certificate chain validation	gnutls13 (Ubuntu Dapper)	Undecided	Invalid
305264	gnutls regression: failure in certificate chain validation	gnutls26 (Ubuntu Dapper)	Undecided	Invalid
305264	gnutls regression: failure in certificate chain validation	gnutls12 (Ubuntu Gutsy)	Undecided	Invalid
305264	gnutls regression: failure in certificate chain validation	gnutls13 (Ubuntu Gutsy)	Undecided	Won't Fix
305264	gnutls regression: failure in certificate chain validation	gnutls26 (Ubuntu Gutsy)	Undecided	Invalid
305264	gnutls regression: failure in certificate chain validation	gnutls12 (Ubuntu Hardy)	Undecided	Invalid
305264	gnutls regression: failure in certificate chain validation	gnutls13 (Ubuntu Hardy)	Undecided	Fix Released
305264	gnutls regression: failure in certificate chain validation	gnutls26 (Ubuntu Hardy)	Undecided	Invalid
305264	gnutls regression: failure in certificate chain validation	gnutls26 (Debian)	Unknown	Fix Released
305264	gnutls regression: failure in certificate chain validation	openldap (Ubuntu)	High	Fix Released
305264	gnutls regression: failure in certificate chain validation	openldap (Ubuntu Dapper)	Undecided	Invalid
305264	gnutls regression: failure in certificate chain validation	openldap (Ubuntu Gutsy)	Undecided	Invalid
305264	gnutls regression: failure in certificate chain validation	openldap (Ubuntu Hardy)	High	Fix Released
305264	gnutls regression: failure in certificate chain validation	openldap (Ubuntu Intrepid)	High	Fix Released
305264	gnutls regression: failure in certificate chain validation	openldap (Ubuntu Jaunty)	High	Fix Released

See the

CVE page on Mitre.org for more details.

Launchpad.net

CVE 2008-4989

References