oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CVE Request -- aMSN -- improper SSL certificate validation (MITM)

From: Josh Bressers <bressers () redhat com>
Date: Thu, 1 Apr 2010 11:48:08 -0400 (EDT)
----- "Jan Lieskovsky" <jlieskov () redhat com> wrote:


Hi Steve, vendors,

   Gabriel Menezes Nunes reported:
     [1] http://seclists.org/bugtraq/2009/Jun/239

   a deficiency in the way aMSN messenger validated SSL certificates
when
   connecting to the MSN server. A remote attacker could conduct
man-in-the-middle
   attacks and / or impersonate trusted servers.

   Affected version:
     Issue originally reported against aMSN v0.97.2, but further
research showed [4]
     latest aMSN v0.98.3 still suffers from the flaw.

   References:
     [2]
http://www.juniper.net/security/auto/vulnerabilities/vuln35507.html
     [3] http://secunia.com/advisories/35621/
     [4] http://www.opensource-archive.org/showthread.php?p=183821
     [5] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572818

   Upstream (testing) patch:
     [6]
http://amsn.svn.sourceforge.net/viewvc/amsn/trunk/?view=log&pathrev=11991

Not sure, if this already got a CVE id, but in case if not, could you
allocate one?



I can't find a CVE id.

Please use CVE-2010-0744

Thanks.

-- 
    JB
Previous By Date Next
Previous By Thread Next

Current thread: