Информационная безопасность
[RU] switch to English


Подмена сертификата в библиотеке GnuTLS
Опубликовано:20 августа 2009 г.
Источник:
SecurityVulns ID:10169
Тип:библиотека
Уровень опасности:
6/10
Описание:Возможна подмена имени сертификата через нулевой символ, принимаются сертификаты со слабым хэшем MD2.
Затронутые продукты:GNU : GnuTLS 2.8
CVE:CVE-2009-2730 (libgnutls in GnuTLS before 2.8.2 does not properly handle a '\0' character in a domain name in the subject's (1) Common Name (CN) or (2) Subject Alternative Name (SAN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.)
 CVE-2009-2409 (The Network Security Services (NSS) library before 3.12.3, as used in Firefox; GnuTLS before 2.6.4 and 2.7.4; OpenSSL 0.9.8 through 0.9.8k; and other products support MD2 with X.509 certificates, which might allow remote attackers to spoof certificates by using MD2 design flaws to generate a hash collision in less than brute-force time. NOTE: the scope of this issue is currently limited because the amount of computation required is still large.)
Оригинальный текстdocumentUBUNTU, [USN-809-1] GnuTLS vulnerabilities (20.08.2009)

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород