Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CAGGN9eceQ2wZhA5OskNJowcrECe6zOmtS6WG6WfetRMXxENUWA@mail.gmail.com>
Date: Sun, 19 Oct 2014 19:26:02 +1000
From: Lord Tuskington <l.tuskington@...il.com>
To: oss-security@...ts.openwall.com
Subject: CVE request: Cyanogenmod MITM

After reading el reg's article regarding a cyanogenmod MITM flaw, I started
looking through the code to see if I could find it. It didn't take long.
This finding was not what users are led to believe by cyanogenmod's blog
post. I reported the issue to cyanogenmod, but got a rather unsatisfactory
reply. They didn't seem willing to modify the blog post to more accurately
reflect the problem. Below is my email exchange with cyanogenmod's security
address:

 Lord Tuskington,

 Thank your for your response. Truth is we assumed as much, but the lack of
meaningful information in the Register's sensational article didn't leave
us much room to interpret it besides what it presented at face value.

 As you noted, this has already been addressed in our shipping code branch
(cm-11), prior to the article's publishing. This was the net result of the
messaging provided in the blog post, with CM 11 being 'safe' from this
issue.

 We normally do not patch non-shipping code (in this case 10.2 and prior),
though we may in this case.

 We do not expect to make a advisory on the 10.2 item at this time.

 Thank you,
Abhisek Devkota

  On Oct 17, 2014 8:50 PM, "Lord Tuskington" <l.tuskington@...il.com> wrote:
  Hello from Greenland!

I think you may be confused about the issue discussed here:
http://www.cyanogenmod.org/blog/in-response-to-the-register-mitm-article

If I understand correctly, the original reporter may have been referring to
a vulnerability fixed by this commit, which was merged 20 days ago:

https://github.com/CyanogenMod/android_external_apache-http/commit/f925f10b1feba92868fd4e8966592ec1bf755d67

The vulnerable code is still present in the cm-10.2 branch:

https://github.com/CyanogenMod/android_external_apache-http/blob/cm-10.2/src/org/apache/http/conn/ssl/AbstractVerifier.java#L228-244
If you release an advisory, please credit "Lord Tuskington of TuskCorp" for
reporting this vulnerability responsibly.
Regards

Lord Tuskington
Chief Financial Pinniped
TuskCorp

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.