oss-sec mailing list archives
Re: CVE Request: libesmtp does not check NULL bytes in commonName
From: Ludwig Nussel <ludwig.nussel () suse de>
Date: Tue, 16 Mar 2010 08:54:20 +0100
Brian Stafford wrote:
I think the best approach is to apply Pawel's patch as this is the
I must have missed that patch. Could you re-post it?
simplest in terms of changes to the existing code base, and perhaps move to Ludwig's for a later release of libESMTP. In the slightly longer term, I think the internet draft at http://tools.ietf.org/html/draft-saintandre-tls-server-id-check is the one to follow but this might change substantially or even fall of the rails entirely. [...] The I-D says only the leftmost component may contain a wildcard but this would rule out *.*.google.com The algorithm I've outlined is really a halfway house between RFC2818, which I think is too flexible, and the I-D; limit the positions of wildcards in the hostname and dont allow elaborate matches within a hostname component. Any ideas or opinions on this would be useful.
Is there a way to comment on the draft? Maybe the author of the draft didn't think about the cases you'd like to handle. cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)
Current thread:
- CVE Request: libesmtp does not check NULL bytes in commonName Kees Cook (Mar 03)
- Re: CVE Request: libesmtp does not check NULL bytes in commonName Jan Lieskovsky (Mar 09)
- Re: CVE Request: libesmtp does not check NULL bytes in commonName Ludwig Nussel (Mar 10)
- Re: CVE Request: libesmtp does not check NULL bytes in commonName Brian Stafford (Mar 10)
- Re: CVE Request: libesmtp does not check NULL bytes in commonName Ludwig Nussel (Mar 11)
- Re: CVE Request: libesmtp does not check NULL bytes in commonName Brian Stafford (Mar 11)
- Re: CVE Request: libesmtp does not check NULL bytes in commonName Ludwig Nussel (Mar 11)
- Re: CVE Request: libesmtp does not check NULL bytes in commonName Brian Stafford (Mar 11)
- Re: CVE Request: libesmtp does not check NULL bytes in commonName Brian Stafford (Mar 15)
- Re: CVE Request: libesmtp does not check NULL bytes in commonName Ludwig Nussel (Mar 16)
- Re: CVE Request: libesmtp does not check NULL bytes in commonName Brian Stafford (Mar 16)
- Re: CVE Request: libesmtp does not check NULL bytes in commonName ArkanoiD (Mar 16)
- Re: CVE Request: libesmtp does not check NULL bytes in commonName Ludwig Nussel (Mar 16)
- Re: CVE Request: libesmtp does not check NULL bytes in commonName Peter Sylvester (Mar 16)
- Re: CVE Request: libesmtp does not check NULL bytes in commonName ArkanoiD (Mar 16)
- Re: CVE Request: libesmtp does not check NULL bytes in commonName Ludwig Nussel (Mar 17)
- Re: CVE Request: libesmtp does not check NULL bytes in commonName Ludwig Nussel (Mar 10)
- Re: CVE Request: libesmtp does not check NULL bytes in commonName Brian Stafford (Mar 16)
- Re: CVE Request: libesmtp does not check NULL bytes in commonName Brian Stafford (Mar 17)
- Re: CVE Request: libesmtp does not check NULL bytes in commonName Ludwig Nussel (Mar 17)
- Re: CVE Request: libesmtp does not check NULL bytes in commonName ArkanoiD (Mar 17)
- Re: CVE Request: libesmtp does not check NULL bytes in commonName Jan Lieskovsky (Mar 09)