Date: Thu, 26 Feb 2015 10:22:57 +0000 (UTC) From: Sébastien Delafond <sdelafond@...il.com> To: oss-security@...ts.openwall.com Subject: Re: CVE Request: mod-gnutls: GnuTLSClientVerify require is ignored > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=578663#10 is > apparently about ignoring GnuTLSClientVerify when this directive is > present only in a server config context. This is the issue at hand, yes. > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=578663#10 is > apparently discussing the 2009 bug when saying "This bug still > exists in current stable and unstable packages" but perhaps is > actually referring to a remaining issue that exists because of an > incomplete fix for the 2009 bug. Correct. > The various discussion of "when I browse site2 in IE, it shows me > the certificate of site1" and "it seems curl extension of php also > can't correctly connect" in > http://issues.outoforder.cc/view.php?id=93#c187 is possibly a user > error and not a valid third vulnerability report. Agreed. > So, are you looking for: > > one CVE-2009-#### ID -- vulnerability involving the directory context > > one CVE-2015-#### ID -- vulnerability involving the server config context The latter; this issue is definitely about the server config context being ignored. Cheers, --Seb
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ