oss-sec mailing list archives
Re: CVE request: irssi 0.8.15
From: Tomas Hoger <thoger () redhat com>
Date: Tue, 13 Apr 2010 14:41:21 +0200
On Mon, 12 Apr 2010 15:41:34 -0400 (EDT) Josh Bressers <bressers () redhat com> wrote:
It fixes the old "does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field" flaw, plus also verifies that the server being connected to is the one listed in the certificate. Let's assign these as such: CVE-2010-1154 irssi 0.8.15 /0 in CN field CVE-2010-1155 irssi 0.8.15 certificate host validation
I believe assignment of CVE-2010-1154 is redundant here, given that CVE-2010-1155 is about the completely missing server name check. If it wasn't checking names, it wasn't handling \0 in names incorrectly. -- Tomas Hoger / Red Hat Security Response Team
Current thread:
- CVE request: irssi 0.8.15 Tobias Heinlein (Apr 11)
- <Possible follow-ups>
- Re: CVE request: irssi 0.8.15 Josh Bressers (Apr 12)
- Re: CVE request: irssi 0.8.15 Steven M. Christey (Apr 12)
- Re: CVE request: irssi 0.8.15 Josh Bressers (Apr 13)
- Re: CVE request: irssi 0.8.15 Tomas Hoger (Apr 13)
- Re: CVE request: irssi 0.8.15 Steven M. Christey (Apr 12)
- Re: CVE request: irssi 0.8.15 Wouter Coekaerts (Apr 13)
- Re: Re: CVE request: irssi 0.8.15 Jamie Strandboge (Apr 17)
- Re: Re: CVE request: irssi 0.8.15 Wouter Coekaerts (Apr 26)
- Re: Re: CVE request: irssi 0.8.15 Steve Langasek (Apr 27)
- Re: Re: CVE request: irssi 0.8.15 Jamie Strandboge (Apr 17)