Date: Wed, 10 Mar 2010 17:15:04 +0100 From: Jan Lieskovsky <jlieskov@...hat.com> To: "Steven M. Christey" <coley@...us.mitre.org> CC: oss-security <oss-security@...ts.openwall.com>, "Alvaro J. Iradier Muro" <airadier@...rs.sourceforge.net> Subject: CVE Request -- aMSN -- improper SSL certificate validation (MITM) Hi Steve, vendors, Gabriel Menezes Nunes reported:  http://seclists.org/bugtraq/2009/Jun/239 a deficiency in the way aMSN messenger validated SSL certificates when connecting to the MSN server. A remote attacker could conduct man-in-the-middle attacks and / or impersonate trusted servers. Affected version: Issue originally reported against aMSN v0.97.2, but further research showed  latest aMSN v0.98.3 still suffers from the flaw. References:  http://www.juniper.net/security/auto/vulnerabilities/vuln35507.html  http://secunia.com/advisories/35621/  http://www.opensource-archive.org/showthread.php?p=183821  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572818 Upstream (testing) patch:  http://amsn.svn.sourceforge.net/viewvc/amsn/trunk/?view=log&pathrev=11991 Not sure, if this already got a CVE id, but in case if not, could you allocate one? Thanks && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ