Tuesday, November 11, 2008

Security Update: Gnutls

One security update has been release today along with Pidgin and KTorrent updates. Pidgin was recompiled with the new gnutls (which happened to be the security update package). Here's the latest -Current changelog:
Mon Nov 10 19:19:50 CST 2008
n/gnutls-2.6.1-i486-1.tgz: Upgraded to gnutls-2.6.1.
From the gnutls-2.6.1 NEWS file:
** libgnutls: Fix X.509 certificate chain validation error.
[GNUTLS-SA-2008-3] The flaw makes it possible for man in the middle attackers (i.e., active attackers) to assume any name and trick GNU TLS clients into trusting that name. Thanks for report and analysis from Martin von Gagern . [CVE-2008-4989]
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4989
(* Security fix *)

xap/pidgin-2.5.2-i486-2.tgz: Recompiled against gnutls-2.6.1.

extra/ktorrent/ktorrent-2.2.8-i486-1.tgz: Upgraded to ktorrent-2.2.8. \รถ/
Thanks to Erik Jan Tromp for pointing this out, and the great use of umlaut.