Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 26 Feb 2015 10:22:57 +0000 (UTC)
From: Sébastien Delafond <sdelafond@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE Request: mod-gnutls: GnuTLSClientVerify require is ignored

> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=578663#10 is
> apparently about ignoring GnuTLSClientVerify when this directive is
> present only in a server config context.

This is the issue at hand, yes.

> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=578663#10 is
> apparently discussing the 2009 bug when saying "This bug still
> exists in current stable and unstable packages" but perhaps is
> actually referring to a remaining issue that exists because of an
> incomplete fix for the 2009 bug.

Correct.

> The various discussion of "when I browse site2 in IE, it shows me
> the certificate of site1" and "it seems curl extension of php also
> can't correctly connect" in
> http://issues.outoforder.cc/view.php?id=93#c187 is possibly a user
> error and not a valid third vulnerability report.

Agreed.

> So, are you looking for:
>
>   one CVE-2009-#### ID  -- vulnerability involving the directory context
>
>   one CVE-2015-#### ID  -- vulnerability involving the server config context

The latter; this issue is definitely about the server config context
being ignored.

Cheers,

--Seb

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.