Date: Tue, 12 May 2015 08:44:06 +0200 From: Philipp Kern <pkern@...ian.org> To: oss-security@...ts.openwall.com Cc: armin@...ur.net Subject: CVE request: libinfinity did not correctly check certificates for validity Hi, Debian bug #783601 reported that Gobby - a collaborative text editor - silently accepted expired certificates. The upstream bug report is . The bug is actually in libinfinity and the fix is available on . libinfinity does support certificate pinning and hence contains the ability to disable some checks like trusted issuer and hostname verification. However the catch-all validity check was in the wrong location. Please assign a CVE ID for this. Kind regards and thanks Philipp Kern  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=783601  https://github.com/gobby/gobby/issues/61  https://github.com/gobby/libinfinity/commit/c97f870f5ae13112988d9f8ad464b4f679903706 Download attachment "signature.asc" of type "application/pgp-signature" (474 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ