[Pkg-gnutls-commits] r826 - in /packages/gnutls26/branches/branch2.4.2-6lenny/debian: changelog libgnutls26.NEWS

ametzler at users.alioth.debian.org ametzler at users.alioth.debian.org
Sat Jan 9 14:26:13 UTC 2010 

Author: ametzler
Date: Sat Jan  9 14:26:12 2010
New Revision: 826

URL: http://svn.debian.org/wsvn/pkg-gnutls/?sc=1&rev=826
Log:
add an entry to the NEWS.Debian file concerning the deprecation of RSA-MD2 and RSA-MD5 for signature verification.

Added:
    packages/gnutls26/branches/branch2.4.2-6lenny/debian/libgnutls26.NEWS
Modified:
    packages/gnutls26/branches/branch2.4.2-6lenny/debian/changelog

Modified: packages/gnutls26/branches/branch2.4.2-6lenny/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-gnutls/packages/gnutls26/branches/branch2.4.2-6lenny/debian/changelog?rev=826&op=diff
==============================================================================
--- packages/gnutls26/branches/branch2.4.2-6lenny/debian/changelog (original)
+++ packages/gnutls26/branches/branch2.4.2-6lenny/debian/changelog Sat Jan  9 14:26:12 2010
@@ -1,3 +1,11 @@
+gnutls26 (2.4.2-6+lenny3) UNRELEASED; urgency=low
+
+  * NOT RELEASED YET
+  * Finally add an entry to the NEWS.Debian file concerning the deprecation of
+    RSA-MD2 and RSA-MD5 for signature verification. Closes: #514578
+
+ -- Andreas Metzler <ametzler at debian.org>  Sat, 09 Jan 2010 15:21:54 +0100
+
 gnutls26 (2.4.2-6+lenny2) stable-security; urgency=high
 
   * Non-maintainer upload by the Security Team.

Added: packages/gnutls26/branches/branch2.4.2-6lenny/debian/libgnutls26.NEWS
URL: http://svn.debian.org/wsvn/pkg-gnutls/packages/gnutls26/branches/branch2.4.2-6lenny/debian/libgnutls26.NEWS?rev=826&op=file
==============================================================================
--- packages/gnutls26/branches/branch2.4.2-6lenny/debian/libgnutls26.NEWS (added)
+++ packages/gnutls26/branches/branch2.4.2-6lenny/debian/libgnutls26.NEWS Sat Jan  9 14:26:12 2010
@@ -1,0 +1,20 @@
+gnutls26 (2.4.2-5) unstable; urgency=medium
+
+  * The gnutls certificate verification code has been changed to stop
+    trusting some weak algoritms. Verifying untrusted X.509 certificates
+    signed with RSA-MD2 or RSA-MD5 will now fail with a
+    GNUTLS_CERT_INSECURE_ALGORITHM verification output.
+
+    See <http://www.win.tue.nl/hashclash/rogue-ca/>,
+    <http://bugs.debian.org/514578> and
+    <http://www.gnu.org/software/gnutls/manual/gnutls.html#Digital-signatures>
+
+    "certtool -i < signature.pem" will inform about the algoritm used for
+    signing (Search for "Signature Algorithm" in its output.). The proper
+    fix is to re-issue the certificates with a more secure algoritm. As a
+    hotfix the respective certicate itself can be added to the list of
+    trusted certificates. Obviously this should only be done after
+    verifying the certificate by different means than relying on the weak
+    signature.
+
+ -- Andreas Metzler <ametzler at debian.org>  Sat, 07 Feb 2009 12:58:51 +0100

More information about the Pkg-gnutls-commits mailing list