[Pkg-gnutls-commits] r750 - in /packages/gnutls26/trunk/debian: changelog libgnutls26.NEWS

ametzler at users.alioth.debian.org ametzler at users.alioth.debian.org
Sun Aug 2 07:35:31 UTC 2009 

Author: ametzler
Date: Sun Aug  2 07:35:28 2009
New Revision: 750

URL: http://svn.debian.org/wsvn/pkg-gnutls/?sc=1&rev=750
Log:
Describe deprecation of RSA-MD2 and RSA-MD5 in NEWS.Debian.

Modified:
    packages/gnutls26/trunk/debian/changelog
    packages/gnutls26/trunk/debian/libgnutls26.NEWS

Modified: packages/gnutls26/trunk/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-gnutls/packages/gnutls26/trunk/debian/changelog?rev=750&op=diff
==============================================================================
--- packages/gnutls26/trunk/debian/changelog (original)
+++ packages/gnutls26/trunk/debian/changelog Sun Aug  2 07:35:28 2009
@@ -5,6 +5,10 @@
   [ Simon Josefsson ]
   * Remove cruft in rules file.
   * Remove patches/15_tasn1inpc.diff, not needed.
+
+  [ Andreas Metzler ]
+  * Finally add a entry to the NEWS.Debian file concerning the deprecation of
+    RSA-MD2 and RSA-MD5 for signature verification. Closes: #514578
 
  -- Andreas Metzler <ametzler at debian.org>  Thu, 11 Jun 2009 09:36:57 +0200
 

Modified: packages/gnutls26/trunk/debian/libgnutls26.NEWS
URL: http://svn.debian.org/wsvn/pkg-gnutls/packages/gnutls26/trunk/debian/libgnutls26.NEWS?rev=750&op=diff
==============================================================================
--- packages/gnutls26/trunk/debian/libgnutls26.NEWS (original)
+++ packages/gnutls26/trunk/debian/libgnutls26.NEWS Sun Aug  2 07:35:28 2009
@@ -22,3 +22,24 @@
     http://www.gnu.org/software/gnutls/security.html
 
  -- Andreas Metzler <ametzler at debian.org>  Thu, 30 Apr 2009 19:00:21 +0200
+
+gnutls26 (2.4.2-5) unstable; urgency=medium
+
+  * The gnutls certificate verification code has been changed to stop
+    trusting some weak algoritms. Verifying untrusted X.509 certificates
+    signed with RSA-MD2 or RSA-MD5 will now fail with a
+    GNUTLS_CERT_INSECURE_ALGORITHM verification output.
+
+    See <http://www.win.tue.nl/hashclash/rogue-ca/>,
+    <http://bugs.debian.org/514578> and
+    <http://www.gnu.org/software/gnutls/manual/gnutls.html#Digital-signatures>
+
+    "certtool -i < signature.pem" will inform about the algoritm used for
+    signing (Search for "Signature Algorithm" in its output.). The proper
+    fix is to re-issue the certificates with a more secure algoritm. As a
+    hotfix the respective certicate itself can be added to the list of
+    trusted certificates. Obviously this should only be done after
+    verifying the certificate by different means than relying on the weak
+    signature.
+
+ -- Andreas Metzler <ametzler at debian.org>  Sat, 07 Feb 2009 12:58:51 +0100

More information about the Pkg-gnutls-commits mailing list