Bugzilla – Bug 919938
VUL-1: CVE-2015-0294: gnutls: certificate algorithm consistency checking issue
Last modified: 2015-04-20 15:05:36 UTC
Created attachment 624825 [details] Reproducer rh#1196323 All versions of GnuTLS did not check whether the two signature algorithms match on certificate import. There are no known attacks that could lead to a forged certificate because of that, but the possibility of it is not eliminated either (it depends on whether there can be cross-signature attacks). Upstream commit that fix this: https://gitorious.org/gnutls/gnutls/commit/6e76e9b9fa845b76b0b9a45f05f4b54a052578ff Issue can be reproduced by running "certtool -e" on the attached PEM file. References: https://bugzilla.redhat.com/show_bug.cgi?id=1196323 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0294 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0294
bugbot adjusting priority
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2015-03-25. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/61058
this seems kind of related to bug 921684
This is an autogenerated message for OBS integration: This bug (919938) was mentioned in https://build.opensuse.org/request/show/292099 13.2+13.1 / gnutls
openSUSE-SU-2015:0622-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 919938 CVE References: CVE-2015-0294 Sources used: openSUSE 13.2 (src): gnutls-3.2.18-8.1 openSUSE 13.1 (src): gnutls-3.2.4-2.32.1
SUSE-SU-2015:0675-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 919938,921684 CVE References: CVE-2014-8155,CVE-2015-0282,CVE-2015-0294 Sources used: SUSE Manager 1.7 for SLE 11 SP2 (src): gnutls-2.4.1-24.39.55.1 SUSE Linux Enterprise Software Development Kit 11 SP3 (src): gnutls-2.4.1-24.39.55.1 SUSE Linux Enterprise Server 11 SP3 for VMware (src): gnutls-2.4.1-24.39.55.1 SUSE Linux Enterprise Server 11 SP3 (src): gnutls-2.4.1-24.39.55.1 SUSE Linux Enterprise High Availability Extension 11 SP3 (src): gnutls-2.4.1-24.39.55.1 SUSE Linux Enterprise Desktop 11 SP3 (src): gnutls-2.4.1-24.39.55.1
released
SUSE-SU-2015:0735-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 919938 CVE References: CVE-2015-0294 Sources used: SUSE Linux Enterprise Software Development Kit 12 (src): gnutls-3.2.15-7.2 SUSE Linux Enterprise Server 12 (src): gnutls-3.2.15-7.2 SUSE Linux Enterprise Desktop 12 (src): gnutls-3.2.15-7.2