diff --git a/CVE-2008-4989.patch b/CVE-2008-4989.patch
index 2f0d2b4..06c3ed3 100644
--- a/CVE-2008-4989.patch
+++ b/CVE-2008-4989.patch
@@ -1,29 +1,11 @@
-Index: gnutls/lib/x509/verify.c	
+Index: gnutls-2.4.1/lib/x509/verify.c
 ===================================================================
---- gnutls/lib/x509/verify.c	2008-11-10 10:58:33.000000000 +0100
-+++ gnutls/lib/x509/verify.c	2008-11-10 10:58:41.000000000 +0100
-@@ -374,6 +374,17 @@
-   int i = 0, ret;
-   unsigned int status = 0, output;
-
-+  /* Check if the last certificate in the path is self signed.
-+   * In that case ignore it (a certificate is trusted only if it
-+   * leads to a trusted party by us, not the server's).
-+   */
-+  if (gnutls_x509_crt_check_issuer (certificate_list[clist_size - 1],
-+				    certificate_list[clist_size - 1]) > 0
-+      && clist_size > 0)
-+    {
-+      clist_size--;
-+    }
-+
-   /* Verify the last certificate in the certificate path
-    * against the trusted CA certificate list.
-    *
-@@ -412,17 +423,6 @@
+--- gnutls-2.4.1.orig/lib/x509/verify.c
++++ gnutls-2.4.1/lib/x509/verify.c
+@@ -414,17 +414,6 @@ _gnutls_x509_verify_certificate (const g
      }
  #endif
-
+ 
 -  /* Check if the last certificate in the path is self signed.
 -   * In that case ignore it (a certificate is trusted only if it
 -   * leads to a trusted party by us, not the server's).
diff --git a/gnutls.changes b/gnutls.changes
index 6fb9ec3..f5e33d1 100644
--- a/gnutls.changes
+++ b/gnutls.changes
@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Fri Mar 13 13:37:15 CET 2009 - jshi@suse.de
+
+- fix security bug [bnc#457938]
+  new CVE-2008-4989
+
 -------------------------------------------------------------------
 Wed Dec 10 12:34:56 CET 2008 - olh@suse.de
 
diff --git a/gnutls.spec b/gnutls.spec
index c3e0ef3..297e17f 100644
--- a/gnutls.spec
+++ b/gnutls.spec
@@ -1,7 +1,7 @@
 #
 # spec file for package gnutls (Version 2.4.1)
 #
-# Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2009 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -21,7 +21,7 @@
 Name:           gnutls
 BuildRequires:  gcc-c++ libgcrypt-devel libopencdk-devel
 Version:        2.4.1
-Release:        24
+Release:        25
 License:        GPL v3 or later; LGPL v2.1 or later
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 Url:            http://www.gnutls.org/
@@ -226,6 +226,9 @@ rm -rf %buildroot
 %_libdir/pkgconfig/gnutls-extra.pc
 
 %changelog
+* Fri Mar 13 2009 jshi@suse.de
+- fix security bug [bnc#457938]
+  new CVE-2008-4989
 * Wed Dec 10 2008 olh@suse.de
 - use Obsoletes: -XXbit only for ppc64 to help solver during distupgrade
   (bnc#437293)