diff --git a/CVE-2008-4989.patch b/CVE-2008-4989.patch
new file mode 100644
index 0000000..2f0d2b4
--- /dev/null
+++ b/CVE-2008-4989.patch
@@ -0,0 +1,40 @@
+Index: gnutls/lib/x509/verify.c	
+===================================================================
+--- gnutls/lib/x509/verify.c	2008-11-10 10:58:33.000000000 +0100
++++ gnutls/lib/x509/verify.c	2008-11-10 10:58:41.000000000 +0100
+@@ -374,6 +374,17 @@
+   int i = 0, ret;
+   unsigned int status = 0, output;
+
++  /* Check if the last certificate in the path is self signed.
++   * In that case ignore it (a certificate is trusted only if it
++   * leads to a trusted party by us, not the server's).
++   */
++  if (gnutls_x509_crt_check_issuer (certificate_list[clist_size - 1],
++				    certificate_list[clist_size - 1]) > 0
++      && clist_size > 0)
++    {
++      clist_size--;
++    }
++
+   /* Verify the last certificate in the certificate path
+    * against the trusted CA certificate list.
+    *
+@@ -412,17 +423,6 @@
+     }
+ #endif
+
+-  /* Check if the last certificate in the path is self signed.
+-   * In that case ignore it (a certificate is trusted only if it
+-   * leads to a trusted party by us, not the server's).
+-   */
+-  if (gnutls_x509_crt_check_issuer (certificate_list[clist_size - 1],
+-				    certificate_list[clist_size - 1]) > 0
+-      && clist_size > 0)
+-    {
+-      clist_size--;
+-    }
+-
+   /* Verify the certificate path (chain) 
+    */
+   for (i = clist_size - 1; i > 0; i--)
diff --git a/gnutls.changes b/gnutls.changes
index abb5beb..50a935d 100644
--- a/gnutls.changes
+++ b/gnutls.changes
@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Fri Nov 28 06:53:37 CET 2008 - jshi@suse.de
+
+- fix security bug [bnc#441856]
+  CVE-2008-4989
+
 -------------------------------------------------------------------
 Thu Oct 30 12:34:56 CET 2008 - olh@suse.de
 
diff --git a/gnutls.spec b/gnutls.spec
index 8c4ffdd..2efbc24 100644
--- a/gnutls.spec
+++ b/gnutls.spec
@@ -21,12 +21,13 @@
 Name:           gnutls
 BuildRequires:  gcc-c++ libgcrypt-devel libopencdk-devel
 Version:        2.4.1
-Release:        22
+Release:        23
 License:        GPL v3 or later; LGPL v2.1 or later
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 Url:            http://www.gnutls.org/
 Source0:        %name-%version.tar.bz2
 Patch1:         gnutls-2.4.1-disable_cxx.patch
+Patch2:         CVE-2008-4989.patch
 Summary:        The GNU Transport Layer Security Library
 Group:          Productivity/Networking/Security
 AutoReqProv:    on
@@ -144,6 +145,7 @@ Authors:
 %prep
 %setup -q
 %patch1 -p1
+%patch2 -p1
 
 %build
 autoreconf -fi
@@ -230,6 +232,9 @@ rm -rf %buildroot
 %_libdir/pkgconfig/gnutls-extra.pc
 
 %changelog
+* Fri Nov 28 2008 jshi@suse.de
+- fix security bug [bnc#441856]
+  CVE-2008-4989
 * Thu Oct 30 2008 olh@suse.de
 - obsolete old -XXbit packages (bnc#437293)
 * Sat Aug 02 2008 meissner@suse.de
@@ -465,7 +470,7 @@ rm -rf %buildroot
 - Update to version 1.2.3 (fixes gnutls DOS Bug #83481)
 - Include defines.h before gnutls.h, to pull in config.h, to make
   sure memmem.h prototype memmem properly
-* Sun Jan 30 2005 hvogel@suse.de
+* Sat Jan 29 2005 hvogel@suse.de
 - Update to version 1.2.0
 * Wed Jan 19 2005 hvogel@suse.de
 - update to version 1.1.23