CVE Request -- aMSN -- improper SSL certificate validation (MITM)

[Jan Lieskovsky <jlieskov () redhat com>]

Hi Steve, vendors,

  Gabriel Menezes Nunes reported:
    [1] http://seclists.org/bugtraq/2009/Jun/239

  a deficiency in the way aMSN messenger validated SSL certificates when
  connecting to the MSN server. A remote attacker could conduct man-in-the-middle
  attacks and / or impersonate trusted servers.

  Affected version:
    Issue originally reported against aMSN v0.97.2, but further research showed [4]
    latest aMSN v0.98.3 still suffers from the flaw.

  References:
    [2] http://www.juniper.net/security/auto/vulnerabilities/vuln35507.html
    [3] http://secunia.com/advisories/35621/
    [4] http://www.opensource-archive.org/showthread.php?p=183821
    [5] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572818

  Upstream (testing) patch:
    [6] http://amsn.svn.sourceforge.net/viewvc/amsn/trunk/?view=log&pathrev=11991

Not sure, if this already got a CVE id, but in case if not, could you allocate one?

Thanks && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team