oss-sec mailing list archives
Re: CVE Request: GnuTLS: OCSP validation issue (GNUTLS-SA-2016-3)
From: cve-assign () mitre org
Date: Sun, 18 Sep 2016 10:41:38 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
can falsely report a certificate as valid under certain circumstances
if the serial from the revoked certificate is a prefix of the other one, and the additional bytes happen to be equal on the system doing the verification.
https://lists.gnupg.org/pipermail/gnutls-devel/2016-September/008146.html https://gitlab.com/gnutls/gnutls/commit/964632f37dfdfb914ebc5e49db4fa29af35b1de9 https://bugzilla.redhat.com/show_bug.cgi?id=1374266
Use CVE-2016-7444. - -- CVE Assignment Team M/S M300, 202 Burlington Road, Bedford, MA 01730 USA [ A PGP key is available for encrypted communications at http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJX3qaBAAoJEHb/MwWLVhi2ZIQQALqBsgvjmj3aKEwKaFKSvNcM vOm5UKhOpdwYX7syoPi9J/IfGcvs2Z8K1GPnOxvyyuFBcBzbypgW+UnEvv8kT7ze 5ckPgFSjfaco1cYcBhKq5hlQoTLayhH3YP8XDzWlfE3KijEJAQuA6+wcHL2ddg3d 29nAuKgIkd27SZMEDDcv+x8b3Ibnds/LWUWFleAEPBBiyTrSgeLiWmgLToHSiOND wyfmiNg9SouaBm3icAnd95AHYQmMztrd5xEvuAWK3ZsMFgJtrPjK1kTk13madyfN TgwwQ2PM99EmRgaXHqvrXeRcohRQtV2ptgMqQS9a31fk7uJb8HITNgESoM4z2FRF dLpLzDAMm9X1IKXRDDHqOPobFgwe/ZyG3MEl8994N1Y3N2QYrXm84SmiWTYtDlcD HX2NFievDARKQBzHvJhQwDw98rdFb9P7CLvz4dolVix07xZzy505exktxpAH0yTs 2LXkpB1FQb99ZJzPPZ967S1bY0fpANQzCFLBQlZ8B5g2bmUwo52c+C+JsHay/+3i dnFPSxTJVXRStPHs1II7NufIGjBlitfIHIRlpTtzCsFTy7ppgI5PEfpA/tnCFkXR bhrtIOGqqGyj2ySa4nmYhA95MRLO7XoNIXYT5byRpXI6I6pIEIRkNxeYIChSydEY m1uV5gCz/FIWXRCl6Dzi =1u4M -----END PGP SIGNATURE-----
Current thread:
- CVE Request: GnuTLS: OCSP validation issue (GNUTLS-SA-2016-3) Salvatore Bonaccorso (Sep 18)
- Re: CVE Request: GnuTLS: OCSP validation issue (GNUTLS-SA-2016-3) cve-assign (Sep 18)