Comment 2 for bug 305264

The patch (ebian/patches/91_CVE-2008-4989.dif) is consistent with upstream's 2.6.2. The 2.6.1 fix for this CVE introduced a regression (see Debian http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=505279). Upstream's response (and patch) can be read about here:
http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3248

Ubuntu never suffered from this regression, and has the full patch as seen in 2.6.2. Could gnutls have been too lenient in the past? If the certificate is self-signed, you should be able to use '--insecure' to connect to staging.