oss-sec mailing list archives
CVE Request -- OpenConnect < v2.25 did not verify SSL server certificates
From: Jan Lieskovsky <jlieskov () redhat com>
Date: Sun, 01 Aug 2010 18:00:32 +0200
Hello Steve, vendors, OpenConnect upstream has released OpenConnect v2.25: [1] http://www.infradead.org/openconnect.html addressing following security related issues (from [1]): OpenConnect v2.25 — 2010-05-15 * Always validate server certificate, even when no extra --cafile is provided. * Add --no-cert-check option to avoid certificate validation. * Check server hostname against its certificate. * Provide text-mode function for reviewing and accepting "invalid" certificates. * Fix libproxy detection on NetBSD. References: [2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=590873 [3] ftp://ftp.infradead.org/pub/openconnect/openconnect-2.25.tar.gz Though not direct security issue(s) [rather security hardening], once the package has SSL support, it should be enabled by default to avoid unintentional MITM attacks (implying from default package configuration use). Steve, could you allocate a CVE identifier for this? (but opened for discussion if such security hardening fixes aren't considered enough this to be handled as a security issue). Thanks && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team
Current thread:
- CVE Request -- OpenConnect < v2.25 did not verify SSL server certificates Jan Lieskovsky (Aug 01)
- Re: CVE Request -- OpenConnect < v2.25 did not verify SSL server certificates Josh Bressers (Aug 02)