Jeff Cai <[email protected]> writes: >> What's New >> ========== >> >> ** libgnutls: Fix problem with NUL bytes in X.509 CN and SAN fields. >> By using a NUL byte in CN/SAN fields, it was possible to fool GnuTLS >> into 1) not printing the entire CN/SAN field value when printing a >> certificate and 2) cause incorrect positive matches when matching a >> hostname against a certificate. Some CAs apparently have poor >> checking of CN/SAN values and issue these (arguable invalid) >> certificates. Combined, this can be used by attackers to become a >> MITM on server-authenticated TLS sessions. The problem is mitigated >> since attackers needs to get one certificate per site they want to >> attack, and the attacker reveals his tracks by applying for a >> certificate at the CA. It does not apply to client authenticated TLS >> sessions. Research presented independently by Dan Kaminsky and Moxie >> Marlinspike at BlackHat09. Thanks to Tomas Hoger <[email protected]> >> for providing one part of the patch. [GNUTLS-SA-2009-4]. > > How is it affecting old versions of gnutls like 2.6 and 2.4? Do they > also need a patch applied if not upgrading them?
Yes. I believe all earlier versions are affected. /Simon _______________________________________________ Help-gnutls mailing list [email protected] http://lists.gnu.org/mailman/listinfo/help-gnutls
