Hi, Am Sonntag, den 20.01.2013, 06:50 +0100 schrieb Vincent Hanquez: > this is a security advisory for tls-extra < 0.6.1 which are all vulnerable to > bad > certificate validation. > > Some part of the certificate validation procedure were missing (relying on the > work-in-progress x509 v3 extensions), and because of this anyone with a > correct > end-entity certificate can issue certificate for any arbitrary domain, i.e. > acting as a CA. > > This problem has been fixed in tls-extra 0.6.1, and I advise everyone to > upgrade as > soon as possible. > > Despite a very serious flaw in the certificate validation, I'm happy that the > code is seeing some audits, and would want to thanks Ertugrul Söylemez for the > findings [1].
Debian ships tls-extras 0.4.6 in what will become wheezy, and due to the freeze upgrading to a new major upstream release is not acceptable. Would it be possible for you to create a 0.4.6.1 with this bugfix included? Thanks a lot, Joachim -- Joachim "nomeata" Breitner Debian Developer [email protected] | ICQ# 74513189 | GPG-Keyid: 4743206C JID: [email protected] | http://people.debian.org/~nomeata
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Haskell-Cafe mailing list [email protected] http://www.haskell.org/mailman/listinfo/haskell-cafe
