oss-sec mailing list archives
CVE Request -- aMSN -- improper SSL certificate validation (MITM)
From: Jan Lieskovsky <jlieskov () redhat com>
Date: Wed, 10 Mar 2010 17:15:04 +0100
Hi Steve, vendors, Gabriel Menezes Nunes reported: [1] http://seclists.org/bugtraq/2009/Jun/239 a deficiency in the way aMSN messenger validated SSL certificates when connecting to the MSN server. A remote attacker could conduct man-in-the-middle attacks and / or impersonate trusted servers. Affected version: Issue originally reported against aMSN v0.97.2, but further research showed [4] latest aMSN v0.98.3 still suffers from the flaw. References: [2] http://www.juniper.net/security/auto/vulnerabilities/vuln35507.html [3] http://secunia.com/advisories/35621/ [4] http://www.opensource-archive.org/showthread.php?p=183821 [5] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572818 Upstream (testing) patch: [6] http://amsn.svn.sourceforge.net/viewvc/amsn/trunk/?view=log&pathrev=11991 Not sure, if this already got a CVE id, but in case if not, could you allocate one? Thanks && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team
Current thread:
- CVE Request -- aMSN -- improper SSL certificate validation (MITM) Jan Lieskovsky (Mar 10)