|
Message-ID: <1128715081.206511270136888690.JavaMail.root@zmail01.collab.prod.int.phx2.redhat.com> Date: Thu, 1 Apr 2010 11:48:08 -0400 (EDT) From: Josh Bressers <bressers@...hat.com> To: oss-security@...ts.openwall.com Cc: "Alvaro J. Iradier Muro" <airadier@...rs.sourceforge.net>, "Steven M. Christey" <coley@...us.mitre.org> Subject: Re: CVE Request -- aMSN -- improper SSL certificate validation (MITM) ----- "Jan Lieskovsky" <jlieskov@...hat.com> wrote: > Hi Steve, vendors, > > Gabriel Menezes Nunes reported: > [1] http://seclists.org/bugtraq/2009/Jun/239 > > a deficiency in the way aMSN messenger validated SSL certificates > when > connecting to the MSN server. A remote attacker could conduct > man-in-the-middle > attacks and / or impersonate trusted servers. > > Affected version: > Issue originally reported against aMSN v0.97.2, but further > research showed [4] > latest aMSN v0.98.3 still suffers from the flaw. > > References: > [2] > http://www.juniper.net/security/auto/vulnerabilities/vuln35507.html > [3] http://secunia.com/advisories/35621/ > [4] http://www.opensource-archive.org/showthread.php?p=183821 > [5] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572818 > > Upstream (testing) patch: > [6] > http://amsn.svn.sourceforge.net/viewvc/amsn/trunk/?view=log&pathrev=11991 > > Not sure, if this already got a CVE id, but in case if not, could you > allocate one? > I can't find a CVE id. Please use CVE-2010-0744 Thanks. -- JB
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.