Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sun, 01 Aug 2010 18:00:32 +0200
From: Jan Lieskovsky <>
To: "Steven M. Christey" <>
CC: oss-security <>
Subject: CVE Request -- OpenConnect < v2.25  did not verify SSL server certificates

Hello Steve, vendors,

   OpenConnect upstream has released OpenConnect v2.25:

addressing following security related issues (from [1]):
   OpenConnect v2.25  2010-05-15

     * Always validate server certificate, even when no extra --cafile is provided.
     * Add --no-cert-check option to avoid certificate validation.
     * Check server hostname against its certificate.
     * Provide text-mode function for reviewing and accepting "invalid" certificates.
     * Fix libproxy detection on NetBSD.


Though not direct security issue(s) [rather security hardening], once the package has SSL support,
it should be enabled by default to avoid unintentional MITM attacks (implying from default package
configuration use).

Steve, could you allocate a CVE identifier for this? (but opened for discussion if such security
hardening fixes aren't considered enough this to be handled as a security issue).

Thanks && Regards, Jan.
Jan iankko Lieskovsky / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ