Date: Thu, 1 Apr 2010 11:48:08 -0400 (EDT) From: Josh Bressers <bressers@...hat.com> To: oss-security@...ts.openwall.com Cc: "Alvaro J. Iradier Muro" <airadier@...rs.sourceforge.net>, "Steven M. Christey" <coley@...us.mitre.org> Subject: Re: CVE Request -- aMSN -- improper SSL certificate validation (MITM) ----- "Jan Lieskovsky" <jlieskov@...hat.com> wrote: > Hi Steve, vendors, > > Gabriel Menezes Nunes reported: >  http://seclists.org/bugtraq/2009/Jun/239 > > a deficiency in the way aMSN messenger validated SSL certificates > when > connecting to the MSN server. A remote attacker could conduct > man-in-the-middle > attacks and / or impersonate trusted servers. > > Affected version: > Issue originally reported against aMSN v0.97.2, but further > research showed  > latest aMSN v0.98.3 still suffers from the flaw. > > References: >  > http://www.juniper.net/security/auto/vulnerabilities/vuln35507.html >  http://secunia.com/advisories/35621/ >  http://www.opensource-archive.org/showthread.php?p=183821 >  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572818 > > Upstream (testing) patch: >  > http://amsn.svn.sourceforge.net/viewvc/amsn/trunk/?view=log&pathrev=11991 > > Not sure, if this already got a CVE id, but in case if not, could you > allocate one? > I can't find a CVE id. Please use CVE-2010-0744 Thanks. -- JB
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ