Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 26 Feb 2015 10:22:57 +0000 (UTC)
From: S├ębastien Delafond <>
Subject: Re: CVE Request: mod-gnutls: GnuTLSClientVerify require is ignored

> is
> apparently about ignoring GnuTLSClientVerify when this directive is
> present only in a server config context.

This is the issue at hand, yes.

> is
> apparently discussing the 2009 bug when saying "This bug still
> exists in current stable and unstable packages" but perhaps is
> actually referring to a remaining issue that exists because of an
> incomplete fix for the 2009 bug.


> The various discussion of "when I browse site2 in IE, it shows me
> the certificate of site1" and "it seems curl extension of php also
> can't correctly connect" in
> is possibly a user
> error and not a valid third vulnerability report.


> So, are you looking for:
>   one CVE-2009-#### ID  -- vulnerability involving the directory context
>   one CVE-2015-#### ID  -- vulnerability involving the server config context

The latter; this issue is definitely about the server config context
being ignored.



Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ