Date: Thu, 17 Apr 2014 12:48:36 +0200 From: Florian Weimer <fweimer@...hat.com> To: oss-security@...ts.openwall.com Subject: Re: CVE request: openssl: missing critical flag for extended key usage not always detected in time-stamp verification On 04/16/2014 10:10 PM, Raphael Geissert wrote: > Hi, > > Quoting from : >> "check_purpose_timestamp_sign()" in source file v3_purp.c [...] fails to >> detect a missing critical flag if the extensions of the TSA certificate >> are arranged in a specific order. > > Could a CVE id be assigned for this? As described, this isn't a security issue, but the actual commit <http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=300b9f0b704048f60776881f1d378c74d9c32fbd> might constitute a security fix if this applies not just to extensions on TSA certificates. -- Florian Weimer / Red Hat Product Security Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.