Re: CVE Request -- OpenConnect < v2.25 did not verify SSL server certificates

[Josh Bressers <bressers () redhat com>]

Steve,

Can MITRE take this one. I'm not sure how to dish out the IDs in this case.
All the issues are related, but different as to how certificates work.

Thanks.

-- 
    JB
----- "Jan Lieskovsky" <jlieskov () redhat com> wrote:

> Hello Steve, vendors,
>
>    OpenConnect upstream has released OpenConnect v2.25:
>    [1] http://www.infradead.org/openconnect.html
>
> addressing following security related issues (from [1]):
>    OpenConnect v2.25 — 2010-05-15
>
>      * Always validate server certificate, even when no extra --cafile
> is provided.
>      * Add --no-cert-check option to avoid certificate validation.
>      * Check server hostname against its certificate.
>      * Provide text-mode function for reviewing and accepting
> "invalid" certificates.
>      * Fix libproxy detection on NetBSD.
>
> References:
>    [2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=590873
>    [3]
> ftp://ftp.infradead.org/pub/openconnect/openconnect-2.25.tar.gz
>
> Though not direct security issue(s) [rather security hardening], once
> the package has SSL support,
> it should be enabled by default to avoid unintentional MITM attacks
> (implying from default package
> configuration use).
>
> Steve, could you allocate a CVE identifier for this? (but opened for
> discussion if such security
> hardening fixes aren't considered enough this to be handled as a
> security issue).
>
> Thanks && Regards, Jan.
> --
> Jan iankko Lieskovsky / Red Hat Security Response Team