Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Tue, 13 Apr 2010 14:41:21 +0200
From: Tomas Hoger <thoger@...hat.com>
To: oss-security@...ts.openwall.com
Cc: coley <coley@...re.org>
Subject: Re: CVE request: irssi 0.8.15

On Mon, 12 Apr 2010 15:41:34 -0400 (EDT) Josh Bressers
<bressers@...hat.com> wrote:

> It fixes the old "does not properly handle a '\0' character in a
> domain name in the subject's Common Name (CN) field" flaw, plus also
> verifies that the server being connected to is the one listed in the
> certificate.
> 
> Let's assign these as such:
> CVE-2010-1154 irssi 0.8.15 /0 in CN field
> CVE-2010-1155 irssi 0.8.15 certificate host validation

I believe assignment of CVE-2010-1154 is redundant here, given that
CVE-2010-1155 is about the completely missing server name check.  If it
wasn't checking names, it wasn't handling \0 in names incorrectly.

-- 
Tomas Hoger / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.