Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 17 Apr 2014 12:48:36 +0200
From: Florian Weimer <fweimer@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE request: openssl: missing critical flag for
 extended key usage not always detected in time-stamp verification

On 04/16/2014 10:10 PM, Raphael Geissert wrote:
> Hi,
>
> Quoting from [0]:
>> "check_purpose_timestamp_sign()" in source file v3_purp.c [...] fails to
>> detect a missing critical flag if the extensions of the TSA certificate
>> are arranged in a specific order.
>
> Could a CVE id be assigned for this?

As described, this isn't a security issue, but the actual commit

<http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=300b9f0b704048f60776881f1d378c74d9c32fbd>

might constitute a security fix if this applies not just to extensions 
on TSA certificates.

-- 
Florian Weimer / Red Hat Product Security Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.