[Pkg-gnutls-commits] r764 - in /packages/gnutls26/branches/branch2.4.2-6lenny/debian: changelog libgnutls26.NEWS

ametzler at users.alioth.debian.org ametzler at users.alioth.debian.org
Sat Aug 22 08:43:10 UTC 2009 

Author: ametzler
Date: Sat Aug 22 08:43:10 2009
New Revision: 764

URL: http://svn.debian.org/wsvn/pkg-gnutls/?sc=1&rev=764
Log:
Document deprecation of RSA-MD2 and RSA-MD5 for signature verification.

Added:
    packages/gnutls26/branches/branch2.4.2-6lenny/debian/libgnutls26.NEWS
Modified:
    packages/gnutls26/branches/branch2.4.2-6lenny/debian/changelog

Modified: packages/gnutls26/branches/branch2.4.2-6lenny/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-gnutls/packages/gnutls26/branches/branch2.4.2-6lenny/debian/changelog?rev=764&op=diff
==============================================================================
--- packages/gnutls26/branches/branch2.4.2-6lenny/debian/changelog (original)
+++ packages/gnutls26/branches/branch2.4.2-6lenny/debian/changelog Sat Aug 22 08:43:10 2009
@@ -4,6 +4,8 @@
     to NUL bytes in X.509 certificate name fields. Closes: #541439
     + 26_CVE-2009-2730_2.4.1.patch.
     + 27_fix_opengpp.diff - Previous patch broke openpgp auth.
+  * Finally add an entry to the NEWS.Debian file concerning the deprecation of
+    RSA-MD2 and RSA-MD5 for signature verification. Closes: #514578
 
  -- Andreas Metzler <ametzler at debian.org>  Sat, 22 Aug 2009 08:56:57 +0200
 

Added: packages/gnutls26/branches/branch2.4.2-6lenny/debian/libgnutls26.NEWS
URL: http://svn.debian.org/wsvn/pkg-gnutls/packages/gnutls26/branches/branch2.4.2-6lenny/debian/libgnutls26.NEWS?rev=764&op=file
==============================================================================
--- packages/gnutls26/branches/branch2.4.2-6lenny/debian/libgnutls26.NEWS (added)
+++ packages/gnutls26/branches/branch2.4.2-6lenny/debian/libgnutls26.NEWS Sat Aug 22 08:43:10 2009
@@ -1,0 +1,20 @@
+gnutls26 (2.4.2-5) unstable; urgency=medium
+
+  * The gnutls certificate verification code has been changed to stop
+    trusting some weak algoritms. Verifying untrusted X.509 certificates
+    signed with RSA-MD2 or RSA-MD5 will now fail with a
+    GNUTLS_CERT_INSECURE_ALGORITHM verification output.
+
+    See <http://www.win.tue.nl/hashclash/rogue-ca/>,
+    <http://bugs.debian.org/514578> and
+    <http://www.gnu.org/software/gnutls/manual/gnutls.html#Digital-signatures>
+
+    "certtool -i < signature.pem" will inform about the algoritm used for
+    signing (Search for "Signature Algorithm" in its output.). The proper
+    fix is to re-issue the certificates with a more secure algoritm. As a
+    hotfix the respective certicate itself can be added to the list of
+    trusted certificates. Obviously this should only be done after
+    verifying the certificate by different means than relying on the weak
+    signature.
+
+ -- Andreas Metzler <ametzler at debian.org>  Sat, 07 Feb 2009 12:58:51 +0100

More information about the Pkg-gnutls-commits mailing list