Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 12 May 2015 08:44:06 +0200
From: Philipp Kern <>
Subject: CVE request: libinfinity did not correctly check certificates for


Debian bug #783601[1] reported that Gobby - a collaborative text editor
- silently accepted expired certificates. The upstream bug report is
[2]. The bug is actually in libinfinity and the fix is available on [2].

libinfinity does support certificate pinning and hence contains the
ability to disable some checks like trusted issuer and hostname
verification. However the catch-all validity check was in the wrong

Please assign a CVE ID for this.

Kind regards and thanks
Philipp Kern


Download attachment "signature.asc" of type "application/pgp-signature" (474 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ