Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 26 Feb 2015 10:22:57 +0000 (UTC)
From: S├ębastien Delafond <sdelafond@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE Request: mod-gnutls: GnuTLSClientVerify require is ignored

> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=578663#10 is
> apparently about ignoring GnuTLSClientVerify when this directive is
> present only in a server config context.

This is the issue at hand, yes.

> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=578663#10 is
> apparently discussing the 2009 bug when saying "This bug still
> exists in current stable and unstable packages" but perhaps is
> actually referring to a remaining issue that exists because of an
> incomplete fix for the 2009 bug.

Correct.

> The various discussion of "when I browse site2 in IE, it shows me
> the certificate of site1" and "it seems curl extension of php also
> can't correctly connect" in
> http://issues.outoforder.cc/view.php?id=93#c187 is possibly a user
> error and not a valid third vulnerability report.

Agreed.

> So, are you looking for:
>
>   one CVE-2009-#### ID  -- vulnerability involving the directory context
>
>   one CVE-2015-#### ID  -- vulnerability involving the server config context

The latter; this issue is definitely about the server config context
being ignored.

Cheers,

--Seb

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ