Bug 920366 - (CVE-2014-8155) VUL-1: CVE-2014-8155: gnutls: gnutls does not perform date/time checks on CA certificates.
VUL-1: CVE-2014-8155: gnutls: gnutls does not perform date/time checks on CA ...
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2015-03-03 10:38 UTC by Marcus Meissner
Modified: 2015-06-08 12:46 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2015-03-03 10:38:01 UTC
via rh#1197995

It was found that gnutls, did not perform date/time check on CA certificates. Applications compiled against gnutls, will continue to assume that a certificate is valid, even though the CA certificate, (which signed this certificate) has expired.

This issue was fixed in gnutls-2.9.10 via the following commit:

Comment 1 Swamp Workflow Management 2015-03-11 12:40:59 UTC
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2015-03-25.
When done, reassign the bug to security-team@suse.de.
Comment 5 Marcus Meissner 2015-03-25 13:12:07 UTC
The gnutls 2.4.x release did not handle root CA expiry times, so we are not checking those in gnutls 2.4.x.

The ssl root ca store on SLES is regulary updated, so old CAs are removed via online updates.

SO we currently do not plan to fix this problem for gnutls 2.4.x and older (SLE11 and older).
Comment 7 Andreas Stieger 2015-04-07 15:41:59 UTC
Comment 8 Marcus Meissner 2015-06-08 12:46:07 UTC
i would leave it as is for now.

bug might havce been incorrectly closed.