Bug 920366 (CVE-2014-8155)

Summary: VUL-1: CVE-2014-8155: gnutls: gnutls does not perform date/time checks on CA certificates.
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: astieger, meissner, smash_bz, vcizek
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/114373/
Whiteboard: .
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Marcus Meissner 2015-03-03 10:38:01 UTC
via rh#1197995

It was found that gnutls, did not perform date/time check on CA certificates. Applications compiled against gnutls, will continue to assume that a certificate is valid, even though the CA certificate, (which signed this certificate) has expired.

This issue was fixed in gnutls-2.9.10 via the following commit:
https://gitorious.org/gnutls/gnutls/commit/897cbce62c0263a498088ac3e465aa5f05f8719c

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1197995
Comment 1 Swamp Workflow Management 2015-03-11 12:40:59 UTC
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2015-03-25.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/61058
Comment 5 Marcus Meissner 2015-03-25 13:12:07 UTC
The gnutls 2.4.x release did not handle root CA expiry times, so we are not checking those in gnutls 2.4.x.

The ssl root ca store on SLES is regulary updated, so old CAs are removed via online updates.

SO we currently do not plan to fix this problem for gnutls 2.4.x and older (SLE11 and older).
Comment 7 Andreas Stieger 2015-04-07 15:41:59 UTC
Releasing
Comment 8 Marcus Meissner 2015-06-08 12:46:07 UTC
i would leave it as is for now.

bug might havce been incorrectly closed.