Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 12 May 2015 08:44:06 +0200
From: Philipp Kern <pkern@...ian.org>
To: oss-security@...ts.openwall.com
Cc: armin@...ur.net
Subject: CVE request: libinfinity did not correctly check certificates for
 validity

Hi,

Debian bug #783601[1] reported that Gobby - a collaborative text editor
- silently accepted expired certificates. The upstream bug report is
[2]. The bug is actually in libinfinity and the fix is available on [2].

libinfinity does support certificate pinning and hence contains the
ability to disable some checks like trusted issuer and hostname
verification. However the catch-all validity check was in the wrong
location.

Please assign a CVE ID for this.

Kind regards and thanks
Philipp Kern

[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=783601
[2] https://github.com/gobby/gobby/issues/61
[3] https://github.com/gobby/libinfinity/commit/c97f870f5ae13112988d9f8ad464b4f679903706

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ