[Bug 1928648] [NEW] expiring trust anchor compatibility issue

Dimitri John Ledkov 1928648 at bugs.launchpad.net
Mon May 17 08:54:57 UTC 2021 

*** This bug is a security vulnerability ***

Public security bug reported:

https://community.letsencrypt.org/t/openssl-client-compatibility-
changes-for-let-s-encrypt-certificates/143816

Currently gnutls28 in bionic and earlier will not establish a
connection, if any parts of the trust chain have expired, even though
alternative non-expired chains are available.

This has been fixed in GnuTLS 3.6.14, but probably should be backported
to bionic and earlier if it was not already been done so.

https://gitlab.com/gnutls/gnutls/-/issues/1008

https://gitlab.com/gnutls/gnutls/-/merge_requests/1271

** Affects: gnutls28 (Ubuntu)
     Importance: Undecided
         Status: Fix Released

** Affects: gnutls28 (Ubuntu Precise)
     Importance: Undecided
         Status: New

** Affects: gnutls28 (Ubuntu Trusty)
     Importance: Undecided
         Status: New

** Affects: gnutls28 (Ubuntu Xenial)
     Importance: Undecided
         Status: New

** Affects: gnutls28 (Ubuntu Bionic)
     Importance: Undecided
         Status: New

** Also affects: gnutls28 (Ubuntu Bionic)
   Importance: Undecided
       Status: New

** Also affects: gnutls28 (Ubuntu Trusty)
   Importance: Undecided
       Status: New

** Also affects: gnutls28 (Ubuntu Xenial)
   Importance: Undecided
       Status: New

** Also affects: gnutls28 (Ubuntu Precise)
   Importance: Undecided
       Status: New

** Changed in: gnutls28 (Ubuntu)
       Status: New => Fix Released

** Information type changed from Public to Public Security

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to gnutls28 in Ubuntu.
https://bugs.launchpad.net/bugs/1928648

Title:
  expiring trust anchor compatibility issue

Status in gnutls28 package in Ubuntu:
  Fix Released
Status in gnutls28 source package in Precise:
  New
Status in gnutls28 source package in Trusty:
  New
Status in gnutls28 source package in Xenial:
  New
Status in gnutls28 source package in Bionic:
  New

Bug description:
  https://community.letsencrypt.org/t/openssl-client-compatibility-
  changes-for-let-s-encrypt-certificates/143816

  Currently gnutls28 in bionic and earlier will not establish a
  connection, if any parts of the trust chain have expired, even though
  alternative non-expired chains are available.

  This has been fixed in GnuTLS 3.6.14, but probably should be
  backported to bionic and earlier if it was not already been done so.

  https://gitlab.com/gnutls/gnutls/-/issues/1008

  https://gitlab.com/gnutls/gnutls/-/merge_requests/1271

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1928648/+subscriptions

More information about the foundations-bugs mailing list