oss-sec mailing list archives
Re: CVE request: fetchmail <= 6.3.10 SSL certificate NUL prefix verification bypass
From: Tomas Hoger <thoger () redhat com>
Date: Wed, 5 Aug 2009 22:05:15 +0200
Hi Matthias! On Wed, 05 Aug 2009 18:55:39 +0200 "Matthias Andree" <matthias.andree () gmx de> wrote:
FWIW, I haven't yet tested if this works for NUL in subjectAltNames, as I currently don't know how to generate such a certificate (can be self-signed) without writing major amounts of code. If someone has a certificate that has embedded NULs in subjectAltNames that I can use for testing, please send it along together with its key so that I can check the fix also works in that code path.
I managed to build these, that may be helpful during the testing: http://people.redhat.com/thoger/certs-with-nuls/ Let me know if anything needed is missing there. HTH -- Tomas Hoger / Red Hat Security Response Team
Current thread:
- CVE request: fetchmail <= 6.3.10 SSL certificate NUL prefix verification bypass Matthias Andree (Aug 05)
- Re: CVE request: fetchmail <= 6.3.10 SSL certificate NUL prefix verification bypass Tomas Hoger (Aug 05)
- Re: CVE request: fetchmail <= 6.3.10 SSL certificate NUL prefix verification bypass Matthias Andree (Aug 05)
- Re: CVE request: fetchmail <= 6.3.10 SSL certificate NUL prefix verification bypass Steven M. Christey (Aug 05)
- Re: CVE request: fetchmail <= 6.3.10 SSL certificate NUL prefix verification bypass Tomas Hoger (Aug 05)
- Re: CVE request: fetchmail <= 6.3.10 SSL certificate NUL prefix verification bypass Matthias Andree (Aug 05)
- Re: "umbrella" CVE names (was: CVE request: fetchmail <= 6.3.10 SSL certificate NUL prefix verification bypass) Matthias Andree (Aug 21)
- Re: CVE request: fetchmail <= 6.3.10 SSL certificate NUL prefix verification bypass Tomas Hoger (Aug 05)
- Re: CVE request: fetchmail <= 6.3.10 SSL certificate NUL prefix verification bypass Matthias Andree (Aug 05)
- Re: CVE request: fetchmail <= 6.3.10 SSL certificate NUL prefix verification bypass Henri Salo (Aug 05)
- Re: CVE request: fetchmail <= 6.3.10 SSL certificate NUL prefix verification bypass Tomas Hoger (Aug 05)