oss-sec mailing list archives

CVE request: radsecproxy incorrect x.509 certificate validation

From: Raphael Geissert <geissert () debian org>
Date: Wed, 17 Oct 2012 12:48:19 -0500

Hi,

Ralf Paffrath discovered that radsecproxy may incorrectly accept a client 
certificate if the certificates chain was validated with the CA settings of 
one configuration block but the other certificate constraints failed, and the 
certificate constraints of another configuration block passed (ignoring this 
other config block's CA settings.)

This issue has been fixed in version 1.6.1. However, it introduces a minor 
regression as it ignores some configuration blocks (see the references for 
further details.)

Could a CVE id be assigned?

Thanks in advance. 

References:
https://project.nordu.net/browse/RADSECPROXY-43
https://postlister.uninett.no/sympa/arc/radsecproxy/2012-09/msg00001.html
https://postlister.uninett.no/sympa/arc/radsecproxy/2012-09/msg00006.html

-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net

Current thread:

CVE request: radsecproxy incorrect x.509 certificate validation Raphael Geissert (Oct 17)
- Re: CVE request: radsecproxy incorrect x.509 certificate validation Kurt Seifried (Oct 17)
- Re: CVE request: radsecproxy incorrect x.509 certificate validation Raphael Geissert (Oct 30)
  - Re: Re: CVE request: radsecproxy incorrect x.509 certificate validation Kurt Seifried (Oct 31)