Hello community, here is the log from the commit of package gnutls checked in at Fri Nov 28 15:05:58 CET 2008. -------- --- gnutls/gnutls.changes 2008-10-30 11:05:54.000000000 +0100 +++ gnutls/gnutls.changes 2008-11-28 06:52:14.755460000 +0100 @@ -1,0 +2,6 @@ +Fri Nov 28 06:53:37 CET 2008 - jshi@suse.de + +- fix security bug [bnc#441856] + CVE-2008-4989 + +------------------------------------------------------------------- calling whatdependson for head-i586 New: ---- CVE-2008-4989.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ gnutls.spec ++++++ --- /var/tmp/diff_new_pack.O11484/_old 2008-11-28 15:04:02.000000000 +0100 +++ /var/tmp/diff_new_pack.O11484/_new 2008-11-28 15:04:02.000000000 +0100 @@ -21,12 +21,13 @@ Name: gnutls BuildRequires: gcc-c++ libgcrypt-devel libopencdk-devel Version: 2.4.1 -Release: 22 +Release: 23 License: GPL v3 or later; LGPL v2.1 or later BuildRoot: %{_tmppath}/%{name}-%{version}-build Url: http://www.gnutls.org/ Source0: %name-%version.tar.bz2 Patch1: gnutls-2.4.1-disable_cxx.patch +Patch2: CVE-2008-4989.patch Summary: The GNU Transport Layer Security Library Group: Productivity/Networking/Security AutoReqProv: on @@ -144,6 +145,7 @@ %prep %setup -q %patch1 -p1 +%patch2 -p1 %build autoreconf -fi @@ -230,6 +232,9 @@ %_libdir/pkgconfig/gnutls-extra.pc %changelog +* Fri Nov 28 2008 jshi@suse.de +- fix security bug [bnc#441856] + CVE-2008-4989 * Thu Oct 30 2008 olh@suse.de - obsolete old -XXbit packages (bnc#437293) * Sat Aug 02 2008 meissner@suse.de @@ -465,7 +470,7 @@ - Update to version 1.2.3 (fixes gnutls DOS Bug #83481) - Include defines.h before gnutls.h, to pull in config.h, to make sure memmem.h prototype memmem properly -* Sun Jan 30 2005 hvogel@suse.de +* Sat Jan 29 2005 hvogel@suse.de - Update to version 1.2.0 * Wed Jan 19 2005 hvogel@suse.de - update to version 1.1.23 ++++++ CVE-2008-4989.patch ++++++ Index: gnutls/lib/x509/verify.c =================================================================== --- gnutls/lib/x509/verify.c 2008-11-10 10:58:33.000000000 +0100 +++ gnutls/lib/x509/verify.c 2008-11-10 10:58:41.000000000 +0100 @@ -374,6 +374,17 @@ int i = 0, ret; unsigned int status = 0, output; + /* Check if the last certificate in the path is self signed. + * In that case ignore it (a certificate is trusted only if it + * leads to a trusted party by us, not the server's). + */ + if (gnutls_x509_crt_check_issuer (certificate_list[clist_size - 1], + certificate_list[clist_size - 1]) > 0 + && clist_size > 0) + { + clist_size--; + } + /* Verify the last certificate in the certificate path * against the trusted CA certificate list. * @@ -412,17 +423,6 @@ } #endif - /* Check if the last certificate in the path is self signed. - * In that case ignore it (a certificate is trusted only if it - * leads to a trusted party by us, not the server's). - */ - if (gnutls_x509_crt_check_issuer (certificate_list[clist_size - 1], - certificate_list[clist_size - 1]) > 0 - && clist_size > 0) - { - clist_size--; - } - /* Verify the certificate path (chain) */ for (i = clist_size - 1; i > 0; i--) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org