Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 5 Sep 2012 11:01:03 -0400 (EDT)
From: Jan Lieskovsky <jlieskov@...hat.com>
To: Marcus Meissner <meissner@...e.de>
Cc: oss-security@...ts.openwall.com
Subject: Re: CVE Request: pidgin lack of SSL checks

Hello Marcus, 

> Hi,
> 
> Beautiful rant... needs CVE I guess.
> http://developer.pidgin.im/ticket/15308
> 
> Missing SSL checks in libpurples NSS SSL plugin allows MitM attacks.

Actually right now it looks there isn't an issue at all
(if I got that clarification correctly):
[1] http://developer.pidgin.im/ticket/15308#comment:3

Thus I would wait with CVE assignment for a bit till "water surface
has had chance to quieten down".

> 
> (funny side note here is that gnutls 3.x is GPLv3 and effectively
>  could taint any library/binary linking with it to be GPLv3 or newer.)
> 
> Ciao, Marcus
> -- 
> Open Linux Security Engineer Position at SUSE: http://bit.ly/Li4RbS

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.