Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sun, 01 Aug 2010 18:00:32 +0200
From: Jan Lieskovsky <jlieskov@...hat.com>
To: "Steven M. Christey" <coley@...us.mitre.org>
CC: oss-security <oss-security@...ts.openwall.com>
Subject: CVE Request -- OpenConnect < v2.25  did not verify SSL server certificates

Hello Steve, vendors,

   OpenConnect upstream has released OpenConnect v2.25:
   [1] http://www.infradead.org/openconnect.html

addressing following security related issues (from [1]):
   OpenConnect v2.25  2010-05-15

     * Always validate server certificate, even when no extra --cafile is provided.
     * Add --no-cert-check option to avoid certificate validation.
     * Check server hostname against its certificate.
     * Provide text-mode function for reviewing and accepting "invalid" certificates.
     * Fix libproxy detection on NetBSD.

References:
   [2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=590873
   [3] ftp://ftp.infradead.org/pub/openconnect/openconnect-2.25.tar.gz

Though not direct security issue(s) [rather security hardening], once the package has SSL support,
it should be enabled by default to avoid unintentional MITM attacks (implying from default package
configuration use).

Steve, could you allocate a CVE identifier for this? (but opened for discussion if such security
hardening fixes aren't considered enough this to be handled as a security issue).

Thanks && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ