oss-sec mailing list archives
CVE request: hs-tls: Basic constraints vulnerability
From: Salvatore Bonaccorso <carnil () debian org>
Date: Sun, 20 Jan 2013 13:32:33 +0100
Hi For hs-tls (TLS/SSL implementation in haskell) it was announced the following advisory[0]: ----cut---------cut---------cut---------cut---------cut---------cut----- Hi cafe, this is a security advisory for tls-extra < 0.6.1 which are all vulnerable to bad certificate validation. Some part of the certificate validation procedure were missing (relying on the work-in-progress x509 v3 extensions), and because of this anyone with a correct end-entity certificate can issue certificate for any arbitrary domain, i.e. acting as a CA. This problem has been fixed in tls-extra 0.6.1, and I advise everyone to upgrade as soon as possible. Despite a very serious flaw in the certificate validation, I'm happy that the code is seeing some audits, and would want to thanks Ertugrul Söylemez for the findings [1]. [1] https://github.com/vincenthz/hs-tls/issues/29 ----cut---------cut---------cut---------cut---------cut---------cut----- According to the upstream issue it should be fixed with commit [2]. [0]: http://www.haskell.org/pipermail/haskell-cafe/2013-January/105842.html [2]: https://github.com/vincenthz/hs-tls/commit/15885c0649ceabd2f4d2913df8ac6dc63d6b3b37 Could a CVE for this issue be assigned? Regards, Salvatore
Current thread:
- CVE request: hs-tls: Basic constraints vulnerability Salvatore Bonaccorso (Jan 20)
- Re: CVE request: hs-tls: Basic constraints vulnerability Florian Weimer (Jan 30)
- Re: CVE request: hs-tls: Basic constraints vulnerability Kurt Seifried (Jan 30)
- Re: CVE request: hs-tls: Basic constraints vulnerability Florian Weimer (Jan 30)