oss-sec mailing list archives

CVE Request: mod-gnutls: GnuTLSClientVerify require is ignored

From: Sébastien Delafond <seb () debian org>
Date: Sun, 22 Feb 2015 12:32:36 +0000 (UTC)

Hi,

mod-gnutls doesn't consider the server's client verify mode, even if the
verify mode was unset in the directory configuration. As a result,
invalid certificates are ignored and clients can connect and receive
data as long as they presented any certificate whatsoever.

  Debian bug: https://bugs.debian.org/578663
  Patch and detailed description: 
https://github.com/airtower-luna/mod_gnutls/commit/5a8a32bbfb8a83fe6358c5c31c443325a7775fc2

Could you please assign a CVE for this issue ?

Cheers,

--Seb

Current thread:

CVE Request: mod-gnutls: GnuTLSClientVerify require is ignored Sébastien Delafond (Feb 22)
- Re: CVE Request: mod-gnutls: GnuTLSClientVerify require is ignored Sébastien Delafond (Feb 23)
- Re: CVE Request: mod-gnutls: GnuTLSClientVerify require is ignored cve-assign (Feb 25)
  - Re: CVE Request: mod-gnutls: GnuTLSClientVerify require is ignored Sébastien Delafond (Feb 26)
- Re: CVE Request: mod-gnutls: GnuTLSClientVerify require is ignored cve-assign (Feb 26)