Date: Sun, 01 Aug 2010 18:00:32 +0200 From: Jan Lieskovsky <jlieskov@...hat.com> To: "Steven M. Christey" <coley@...us.mitre.org> CC: oss-security <oss-security@...ts.openwall.com> Subject: CVE Request -- OpenConnect < v2.25 did not verify SSL server certificates Hello Steve, vendors, OpenConnect upstream has released OpenConnect v2.25:  http://www.infradead.org/openconnect.html addressing following security related issues (from ): OpenConnect v2.25 — 2010-05-15 * Always validate server certificate, even when no extra --cafile is provided. * Add --no-cert-check option to avoid certificate validation. * Check server hostname against its certificate. * Provide text-mode function for reviewing and accepting "invalid" certificates. * Fix libproxy detection on NetBSD. References:  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=590873  ftp://ftp.infradead.org/pub/openconnect/openconnect-2.25.tar.gz Though not direct security issue(s) [rather security hardening], once the package has SSL support, it should be enabled by default to avoid unintentional MITM attacks (implying from default package configuration use). Steve, could you allocate a CVE identifier for this? (but opened for discussion if such security hardening fixes aren't considered enough this to be handled as a security issue). Thanks && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ