Date: Wed, 17 Sep 2014 10:14:33 -0400 From: Alex Gaynor <alex.gaynor@...il.com> To: oss-security@...ts.openwall.com Subject: Twisted Security Issue -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hello all, The twisted security project has identified, fixed, and released a release fixing a security issue, I would like a CVE assigned: Title: trustRoot not respected in HTTP client Reporter: Alex Gaynor and David Reid (Rackspace) Products: Twisted (14.0 only). Description: When specifying the trustRoot (CA store) for the HTTP client, Twisted did not respect the user's specification, and always used the default of the platform trust. This means that users attempting to use this feature to implement certificate pinning, or otherwise restrict the trust CAs would still have accepted any certificate signed by a CA. Twisted 14.0.1 has been issued to resolve this issue; (Distributors should note that this release has failing tests, and that a 14.0.2 release will be issued tomorrow, this does not effect the fix, only the tests). Alex - -- "I disapprove of what you say, but I will defend to the death your right to say it." -- Evelyn Beatrice Hall (summarizing Voltaire) "The people's good is the highest law." -- Cicero GPG Key fingerprint: 125F 5C67 DFE9 4084 -----BEGIN PGP SIGNATURE----- Version: OpenPGP.js v0.6.1-dev Comment: http://openpgpjs.org wsFcBAEBCAAQBQJUGZdCCRASX1xn3+lAhAAAR58P/j7yagn9+/+IAflzeS2v hNRBhAUWsFpbwor7FvppXMTPjAFsMP1soBn1RQygRr3uKM4my1myX7UQl2Gj qYtiZpcsvdQO6X5lZwU3Zbl0q7eHXGdwZMO0/xw5TUPTMyATcOk/rgiAm8Z0 BT0zV0lYU3oMB1E3ee/xuOkCpSlPq8BZfsFcVNi/uHzWS9Qgt5RuujIEEQfv V+rTU8bmdGMC98Rsz0vfJJ93acpkuC3iKejz4SzMJdrmq/mSLhr/sgGZFanl 20KwHEjmL41NvoJlwHJ2fL8y4aVusXsuUFpmxuEq/cAaoREi7N8VFHzhS1+U 4cT0rqjW89wGZWhK6jjI31acKZ8s3Irkk6UeQ1XfSxgFh8UTCMCBWVCM1Cwe pfXEXcBduO4xNAiKVFtHU/RHr5hNjGop2bCOtwP6+yYBp1SODb8N8vTxhvOx zKu8tMGb0hWIY6O/TbW/oki/t+eonYBnsp5ytELUz7IqQYZu7xRjgH19uXKj XDG0vwq3lfxwmH0ILVxwR3l+vTBWc8JxQAz3X+mT8OmHHeXFWM/ajwcooug1 9umK7heXrLnLaPdY99ICZp0xXwHo9fIn5pZT8gxIkUF8L8OWeD6uSleeiCBu nbsPCQjg4fIcmjJcpJIvqukSF4tumIPxUJDi1nk/37I02dF8i1IQnzmjHT3Y HrSs =GOlp -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ