Comment 2 for bug 305264

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

The patch (ebian/patches/91_CVE-2008-4989.dif) is consistent with upstream's 2.6.2. The 2.6.1 fix for this CVE introduced a regression (see Debian Upstream's response (and patch) can be read about here:

Ubuntu never suffered from this regression, and has the full patch as seen in 2.6.2. Could gnutls have been too lenient in the past? If the certificate is self-signed, you should be able to use '--insecure' to connect to staging.