Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 10 Mar 2010 17:15:04 +0100
From: Jan Lieskovsky <>
To: "Steven M. Christey" <>
CC: oss-security <>,
        "Alvaro J. Iradier Muro" <>
Subject: CVE Request -- aMSN -- improper SSL certificate validation (MITM)

Hi Steve, vendors,

   Gabriel Menezes Nunes reported:

   a deficiency in the way aMSN messenger validated SSL certificates when
   connecting to the MSN server. A remote attacker could conduct man-in-the-middle
   attacks and / or impersonate trusted servers.

   Affected version:
     Issue originally reported against aMSN v0.97.2, but further research showed [4]
     latest aMSN v0.98.3 still suffers from the flaw.


   Upstream (testing) patch:

Not sure, if this already got a CVE id, but in case if not, could you allocate one?

Thanks && Regards, Jan.
Jan iankko Lieskovsky / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ