Date: Tue, 13 Apr 2010 14:41:21 +0200 From: Tomas Hoger <thoger@...hat.com> To: oss-security@...ts.openwall.com Cc: coley <coley@...re.org> Subject: Re: CVE request: irssi 0.8.15 On Mon, 12 Apr 2010 15:41:34 -0400 (EDT) Josh Bressers <bressers@...hat.com> wrote: > It fixes the old "does not properly handle a '\0' character in a > domain name in the subject's Common Name (CN) field" flaw, plus also > verifies that the server being connected to is the one listed in the > certificate. > > Let's assign these as such: > CVE-2010-1154 irssi 0.8.15 /0 in CN field > CVE-2010-1155 irssi 0.8.15 certificate host validation I believe assignment of CVE-2010-1154 is redundant here, given that CVE-2010-1155 is about the completely missing server name check. If it wasn't checking names, it wasn't handling \0 in names incorrectly. -- Tomas Hoger / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.