Date: Thu, 17 Apr 2014 12:48:36 +0200 From: Florian Weimer <fweimer@...hat.com> To: oss-security@...ts.openwall.com Subject: Re: CVE request: openssl: missing critical flag for extended key usage not always detected in time-stamp verification On 04/16/2014 10:10 PM, Raphael Geissert wrote: > Hi, > > Quoting from : >> "check_purpose_timestamp_sign()" in source file v3_purp.c [...] fails to >> detect a missing critical flag if the extensions of the TSA certificate >> are arranged in a specific order. > > Could a CVE id be assigned for this? As described, this isn't a security issue, but the actual commit <http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=300b9f0b704048f60776881f1d378c74d9c32fbd> might constitute a security fix if this applies not just to extensions on TSA certificates. -- Florian Weimer / Red Hat Product Security Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ