Synopsis: Moderate: gnutls security and bug fix update
Advisory ID: SLSA-2015:1457-1
Issue Date: 2015-07-22
CVE Numbers: CVE-2015-0282
It was found that GnuTLS did not check activation and expiration dates of
CA certificates. This could cause an application using GnuTLS to
incorrectly accept a certificate as valid when its issuing CA is already
It was found that GnuTLS did not verify whether a hashing algorithm listed
in a signature matched the hashing algorithm listed in the certificate. An
attacker could create a certificate that used a different hashing
algorithm than it claimed, possibly causing GnuTLS to use an insecure,
disallowed hashing algorithm during certificate verification.
It was discovered that GnuTLS did not check if all sections of X.509
certificates indicate the same signature algorithm. This flaw, in
combination with a different flaw, could possibly lead to a bypass of the
certificate signature check. (CVE-2015-0294)
This update also fixes the following bug:
* Previously, under certain circumstances, the certtool utility could
generate X.509 certificates which contained a negative modulus.
Consequently, such certificates could have interoperation problems with
the software using them. The bug has been fixed, and certtool no longer
generates X.509 certificates containing a negative modulus.
– Scientific Linux Development Team