oss-sec mailing list archives

Re: CVE request: openssl: missing critical flag for extended key usage not always detected in time-stamp verification

From: Florian Weimer <fweimer () redhat com>
Date: Thu, 17 Apr 2014 12:48:36 +0200

On 04/16/2014 10:10 PM, Raphael Geissert wrote:

Hi,

Quoting from [0]:

"check_purpose_timestamp_sign()" in source file v3_purp.c [...] fails to
detect a missing critical flag if the extensions of the TSA certificate
are arranged in a specific order.


Could a CVE id be assigned for this?


As described, this isn't a security issue, but the actual commit

<http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=300b9f0b704048f60776881f1d378c74d9c32fbd>

might constitute a security fix if this applies not just to extensionson TSA certificates.


--
Florian Weimer / Red Hat Product Security Team

Current thread:

CVE request: openssl: missing critical flag for extended key usage not always detected in time-stamp verification Raphael Geissert (Apr 16)
- Re: CVE request: openssl: missing critical flag for extended key usage not always detected in time-stamp verification Florian Weimer (Apr 17)