oss-sec mailing list archives
Re: CVE Request -- aMSN -- improper SSL certificate validation (MITM)
From: Josh Bressers <bressers () redhat com>
Date: Thu, 1 Apr 2010 11:48:08 -0400 (EDT)
----- "Jan Lieskovsky" <jlieskov () redhat com> wrote:
Hi Steve, vendors, Gabriel Menezes Nunes reported: [1] http://seclists.org/bugtraq/2009/Jun/239 a deficiency in the way aMSN messenger validated SSL certificates when connecting to the MSN server. A remote attacker could conduct man-in-the-middle attacks and / or impersonate trusted servers. Affected version: Issue originally reported against aMSN v0.97.2, but further research showed [4] latest aMSN v0.98.3 still suffers from the flaw. References: [2] http://www.juniper.net/security/auto/vulnerabilities/vuln35507.html [3] http://secunia.com/advisories/35621/ [4] http://www.opensource-archive.org/showthread.php?p=183821 [5] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572818 Upstream (testing) patch: [6] http://amsn.svn.sourceforge.net/viewvc/amsn/trunk/?view=log&pathrev=11991 Not sure, if this already got a CVE id, but in case if not, could you allocate one?
I can't find a CVE id. Please use CVE-2010-0744 Thanks. -- JB
Current thread:
- Re: CVE Request -- aMSN -- improper SSL certificate validation (MITM) Josh Bressers (Apr 01)