Bug 920366 - (CVE-2014-8155) VUL-1: CVE-2014-8155: gnutls: gnutls does not perform date/time checks on CA certificates.
(CVE-2014-8155)
VUL-1: CVE-2014-8155: gnutls: gnutls does not perform date/time checks on CA ...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/114373/
.
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-03-03 10:38 UTC by Marcus Meissner
Modified: 2015-06-08 12:46 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2015-03-03 10:38:01 UTC
via rh#1197995

It was found that gnutls, did not perform date/time check on CA certificates. Applications compiled against gnutls, will continue to assume that a certificate is valid, even though the CA certificate, (which signed this certificate) has expired.

This issue was fixed in gnutls-2.9.10 via the following commit:
https://gitorious.org/gnutls/gnutls/commit/897cbce62c0263a498088ac3e465aa5f05f8719c

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1197995
Comment 1 Swamp Workflow Management 2015-03-11 12:40:59 UTC
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2015-03-25.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/61058
Comment 5 Marcus Meissner 2015-03-25 13:12:07 UTC
The gnutls 2.4.x release did not handle root CA expiry times, so we are not checking those in gnutls 2.4.x.

The ssl root ca store on SLES is regulary updated, so old CAs are removed via online updates.

SO we currently do not plan to fix this problem for gnutls 2.4.x and older (SLE11 and older).
Comment 7 Andreas Stieger 2015-04-07 15:41:59 UTC
Releasing
Comment 8 Marcus Meissner 2015-06-08 12:46:07 UTC
i would leave it as is for now.

bug might havce been incorrectly closed.