Bug#458968: marked as done (CVE-2007-6591: Accepts SSL certificates for sites in subjectAltName, even though these are not displayed)

Fri, 02 May 2014 09:27:54 -0700 

Your message dated Fri, 2 May 2014 18:13:39 +0200
with message-id <20140502161339.gc1...@inutil.org>
and subject line Re: Bug#458968: CVE-2007-6591: Accepts SSL certificates for 
sites in subjectAltName, even though these are not displayed
has caused the Debian Bug report #458968,
regarding CVE-2007-6591: Accepts SSL certificates for sites in subjectAltName, 
even though these are not displayed
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
458968: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=458968
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: konqueror
Version: 4:3.5.8.dfsg.1-2
Severity: important
Tags: security

>From CVE-2007-6591:
"KDE Konqueror 3.5.5 and 3.95.00, when a user accepts an SSL server certificate
on the basis of the CN domain name in the DN field, regards the certificate as
also accepted for all domain names in subjectAltName:dNSName fields, even though
these fields cannot be examined in the product, which makes it easier for remote
attackers to trick a user into accepting an invalid certificate for a spoofed
web site."

There is more info at

http://nils.toedtmann.net/pub/subjectAltName.txt

and 

http://www.securityfocus.com/archive/1/483942/100/100/threaded

--- End Message ---
--- Begin Message --- 
On Thu, Jan 03, 2008 at 10:57:57PM +0100, Stefan Fritsch wrote:
> Package: konqueror
> Version: 4:3.5.8.dfsg.1-2
> Severity: important
> Tags: security
> 
> >>From CVE-2007-6591:
> "KDE Konqueror 3.5.5 and 3.95.00, when a user accepts an SSL server 
> certificate
> on the basis of the CN domain name in the DN field, regards the certificate as
> also accepted for all domain names in subjectAltName:dNSName fields, even 
> though
> these fields cannot be examined in the product, which makes it easier for 
> remote
> attackers to trick a user into accepting an invalid certificate for a spoofed
> web site."

Historic Konqueror bug, closing, (It's not covered by security support for
some time now)

Cheers,
        Moritz

--- End Message ---

Reply via email to