Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Thu, 1 Apr 2010 11:48:08 -0400 (EDT)
From: Josh Bressers <bressers@...hat.com>
To: oss-security@...ts.openwall.com
Cc: "Alvaro J. Iradier Muro" <airadier@...rs.sourceforge.net>,
        "Steven M. Christey" <coley@...us.mitre.org>
Subject: Re: CVE Request -- aMSN -- improper SSL certificate
 validation (MITM)

----- "Jan Lieskovsky" <jlieskov@...hat.com> wrote:

> Hi Steve, vendors,
> 
>    Gabriel Menezes Nunes reported:
>      [1] http://seclists.org/bugtraq/2009/Jun/239
> 
>    a deficiency in the way aMSN messenger validated SSL certificates
> when
>    connecting to the MSN server. A remote attacker could conduct
> man-in-the-middle
>    attacks and / or impersonate trusted servers.
> 
>    Affected version:
>      Issue originally reported against aMSN v0.97.2, but further
> research showed [4]
>      latest aMSN v0.98.3 still suffers from the flaw.
> 
>    References:
>      [2]
> http://www.juniper.net/security/auto/vulnerabilities/vuln35507.html
>      [3] http://secunia.com/advisories/35621/
>      [4] http://www.opensource-archive.org/showthread.php?p=183821
>      [5] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572818
> 
>    Upstream (testing) patch:
>      [6]
> http://amsn.svn.sourceforge.net/viewvc/amsn/trunk/?view=log&pathrev=11991
> 
> Not sure, if this already got a CVE id, but in case if not, could you
> allocate one?
> 

I can't find a CVE id.

Please use CVE-2010-0744

Thanks.

-- 
    JB

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ