Debian DSA-1935-1 : gnutls13 gnutls26 - several vulnerabilities
High Nessus Plugin ID 44800
SynopsisThe remote Debian host is missing a security-related update.
DescriptionDan Kaminsky and Moxie Marlinspike discovered that gnutls, an implementation of the TLS/SSL protocol, does not properly handle a '\0' character in a domain name in the subject's Common Name or Subject Alternative Name (SAN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.
In addition, with this update, certificates with MD2 hash signatures are no longer accepted since they're no longer considered cryptograhically secure. It only affects the oldstable distribution (etch).(CVE-2009-2409 )
SolutionUpgrade the gnutls13/gnutls26 packages.
For the oldstable distribution (etch), these problems have been fixed in version 1.4.4-3+etch5 for gnutls13.
For the stable distribution (lenny), these problems have been fixed in version 2.4.2-6+lenny2 for gnutls26.