Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-Id: <20150226054749.2E2736C0014@smtpvmsrv1.mitre.org>
Date: Thu, 26 Feb 2015 00:47:49 -0500 (EST)
From: cve-assign@...re.org
To: seb@...ian.org
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE Request: mod-gnutls: GnuTLSClientVerify require is ignored

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> mod-gnutls doesn't consider the server's client verify mode, even if the
> verify mode was unset in the directory configuration. As a result,
> invalid certificates are ignored and clients can connect and receive
> data as long as they presented any certificate whatsoever.
> 
> https://bugs.debian.org/578663
> https://github.com/airtower-luna/mod_gnutls/commit/5a8a32bbfb8a83fe6358c5c31c443325a7775fc2
> http://issues.outoforder.cc/view.php?id=93

We haven't been able to determine how many different vulnerabilities
are being reported. The 2009 report is apparently about ignoring
GnuTLSClientVerify when this directive is present in a directory
context, whereas
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=578663#10 is
apparently about ignoring GnuTLSClientVerify when this directive is
present only in a server config context.
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=578663#10 is
apparently discussing the 2009 bug when saying "This bug still exists
in current stable and unstable packages" but perhaps is actually
referring to a remaining issue that exists because of an incomplete
fix for the 2009 bug.

The 2009 report seems to imply that that verification problem is an
impact of a bug related to improper "rehandshake" handling
(http://issues.outoforder.cc/view.php?id=93#c140). Also,
http://issues.outoforder.cc/view.php?id=93#c187 suggests that the
verification problem is observed with some browsers but not others,
which might mean that sessions with certain browsers (or browsers with
certain SSL configurations) do not end up having a "rehandshake."
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=578663#10 has no
mention of "rehandshake" or anything similar, and instead apparently
blames the problem on "the authentication hook (mgs_hook_authz)."
Similarly, the 2015 patch (i.e.,
5a8a32bbfb8a83fe6358c5c31c443325a7775fc2) seems to be a fix for a
missing check in the 2009 patch (i.e., the
http://issues.outoforder.cc/file_download.php?file_id=34&type=bug
patch).

The various discussion of "when I browse site2 in IE, it shows me the
certificate of site1" and "it seems curl extension of php also can't
correctly connect" in http://issues.outoforder.cc/view.php?id=93#c187
is possibly a user error and not a valid third vulnerability report.

So, are you looking for:

  one CVE-2009-#### ID  -- vulnerability involving the directory context

  one CVE-2015-#### ID  -- vulnerability involving the server config context

?

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJU7rKSAAoJEKllVAevmvmsImMH/3JMN+d67QFOoiqdmtBdVpAP
F3gWqctza+yLK1ocUAimX4Rhl/H6Cnm2D10A1u5rInXJ7FzZrsPD5dfkNLfJlMbI
qCv54tzAC0sMb2qziEIGPmRj0koVPM1sWY5nhOwWl0CM7wIYX/MW4VDzC6LK/ias
MfuD5vJnPjA7pIu2MNEz8gOOuF7HDrZvnqX5T9pEcKsEIK3lXRHNGtY/r+71VOPR
DnZ0saIccfnNaYfN6fUg5PcPFisk2BzX7h8z5NyhfhtNypdcEerllgFmuW0J/Zxf
xs9I+vrIROE/PDVrTUxjeWoc/QlW/tR8UExgMRPR3MPn08iOOPGSbCsLKGfrBZA=
=nfvd
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.