Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <1208588851.142891276544463083.JavaMail.root@zmail01.collab.prod.int.phx2.redhat.com>
Date: Mon, 14 Jun 2010 15:41:03 -0400 (EDT)
From: Josh Bressers <bressers@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE Request: w3m does not check null bytes
 CN/subjAltName

Please use CVE-2010-2074 for this.

Thanks.

-- 
    JB


----- "Ludwig Nussel" <ludwig.nussel@...e.de> wrote:

> Hi,
> 
> Yet another occurrence of CVE-2009-2408, this time in w3m. I tried
> contacting the w3m developers listed on sourceforge but got no
> response. In the default configuration the missing null checks don't
> make the situation worse though as w3m doesn't verify certificates
> by default ('ssl_verify_server' is off by default). Attached two
> patches turn on 'ssl_verify_server' and fix the null handling.
> 
> cu
> Ludwig
> 
> -- 
>  (o_   Ludwig Nussel
>  //\   
>  V_/_  http://www.suse.de/
> SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.