[<prev] [next>] [<thread-prev] [thread-next>] [month] [year] [list]
Date: Wed, 5 Aug 2009 20:12:51 +0300
From: Henri Salo <hsalogeek@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE request: fetchmail <= 6.3.10 SSL certificate
NUL prefix verification bypass
2009/8/5 Tomas Hoger <thoger@...hat.com>
> Hi Matthias!
>
> Thanks for the heads-up!
>
> On Wed, 05 Aug 2009 17:14:36 +0200 "Matthias Andree"
> <matthias.andree@....de> wrote:
>
> > Is there a global CVE ID to collect this vulnerability that is
> > supposed to be reused by applications?
>
> That's actually a pretty good question. This problem was first
> presented for Firefox/NSS and got assigned CVE-2009-2408.
>
> Similar problem also affects GnuTLS and some changes are being
> discussed on the -devel mailing list, with some changes and tests
> already in git. This should deserve a separate CVE.
>
> And than there is OpenSSL, which, as I've been told, expects
> applications to do name checking. So it's probably safe to assume that
> many / majority of client applications using OpenSSL are likely to be
> affected by some variant of this problem (either via CommonNames or
> subjectAltNames). I'm not sure if single CVE should be used here for
> all, or dozens of CVEs, one for each. It's likely going to be mess
> either way. I'm adding CC on Steven for advice. Steven, at least one
> CVE has already been allocated privately for similar case.
>
> --
> Tomas Hoger / Red Hat Security Response Team
>
I think there should be one for every vulnerability so one can follow the
process of fixing this issue in specific application.
---
Henri Salo
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Powered by Openwall GNU/*/Linux -
Powered by OpenVZ