CVE-2008-4989

Name of the Vulnerable Software and Affected Versions GnuTLS versions prior to 2.6.1 gnutls-bin (affected versions not specified) gnutls-doc (affected versions not specified) libgnutls13 (affected versions not specified) libgnutls13-dbg (affected versions not specified) libgnutls-dev (affected versions not specified) Gentoo Linux gnutls versions prior to 2.4.1-r2

Description The issue is related to multiple vulnerabilities in the GnuTLS package, which can lead to a breach of protected information integrity. These vulnerabilities can be exploited remotely. Specifically, the gnutls x509 verify certificate function in lib/x509/verify.c in libgnutls trusts certificate chains in which the last certificate is an arbitrary trusted, self-signed certificate, allowing man-in-the-middle attackers to insert a spoofed certificate for any Distinguished Name (DN).

Recommendations For GnuTLS versions prior to 2.6.1, update to version 2.6.1 or later to resolve the issue. For gnutls-bin, gnutls-doc, libgnutls13, libgnutls13-dbg, and libgnutls-dev, at the moment, there is no information about a newer version that contains a fix for this vulnerability. For Gentoo Linux gnutls versions prior to 2.4.1-r2, update to version 2.4.1-r2 or later to resolve the issue.