We sent email to cve-ass...@mitre.org and got the following response, but we don't agree that this is an intentionally made.
This patch appears to be outside the scope of CVE. For issues of this type, the scope of CVE is limited to unintentional implementation mistakes. Here, the vendor intentionally did not do a hostname check because (quoting http://bugs.exim.org/show_bug.cgi?id=1479#c2) "Exim is an MTA, there has been no sane approach to determining a hostname suitable for verification of certificate identity." The vendor went on to implement a useful security enhancement in response to your report. This is a very good outcome, but security enhancements are not assigned CVE-IDs. ** Bug watch added: bugs.exim.org/ #1479 http://bugs.exim.org/show_bug.cgi?id=1479 -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to exim4 in Ubuntu. https://bugs.launchpad.net/bugs/1384232 Title: Certificate hostname verification fix To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/exim4/+bug/1384232/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
