oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CVE Request: libesmtp does not check NULL bytes in commonName

From: Ludwig Nussel <ludwig.nussel () suse de>
Date: Tue, 16 Mar 2010 08:54:20 +0100
Brian Stafford wrote:

I think the best approach is to apply Pawel's patch as this is the 


I must have missed that patch. Could you re-post it?


simplest in terms of changes to the existing code base, and perhaps move 
to Ludwig's for a later release of libESMTP.  In the slightly longer 
term, I think the internet draft at
http://tools.ietf.org/html/draft-saintandre-tls-server-id-check is the 
one to follow but this might change substantially or even fall of the 
rails entirely.

[...] The I-D says only the leftmost 
component may contain a wildcard but this would rule out *.*.google.com 
The algorithm I've outlined is really a halfway house between RFC2818, 
which I think is too flexible, and the I-D; limit the positions of 
wildcards in the hostname and dont allow elaborate matches within a 
hostname component.  Any ideas or opinions on this would be useful.


Is there a way to comment on the draft? Maybe the author of the
draft didn't think about the cases you'd like to handle.

cu
Ludwig

-- 
 (o_   Ludwig Nussel
 //\   
 V_/_  http://www.suse.de/
SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)
Previous By Date Next
Previous By Thread Next

Current thread: