oss-sec mailing list archives
CVE Request: mod-gnutls: GnuTLSClientVerify require is ignored
From: Sébastien Delafond <seb () debian org>
Date: Sun, 22 Feb 2015 12:32:36 +0000 (UTC)
Hi, mod-gnutls doesn't consider the server's client verify mode, even if the verify mode was unset in the directory configuration. As a result, invalid certificates are ignored and clients can connect and receive data as long as they presented any certificate whatsoever. Debian bug: https://bugs.debian.org/578663 Patch and detailed description: https://github.com/airtower-luna/mod_gnutls/commit/5a8a32bbfb8a83fe6358c5c31c443325a7775fc2 Could you please assign a CVE for this issue ? Cheers, --Seb
Current thread:
- CVE Request: mod-gnutls: GnuTLSClientVerify require is ignored Sébastien Delafond (Feb 22)
- Re: CVE Request: mod-gnutls: GnuTLSClientVerify require is ignored Sébastien Delafond (Feb 23)
- Re: CVE Request: mod-gnutls: GnuTLSClientVerify require is ignored cve-assign (Feb 25)
- Re: CVE Request: mod-gnutls: GnuTLSClientVerify require is ignored Sébastien Delafond (Feb 26)
- Re: CVE Request: mod-gnutls: GnuTLSClientVerify require is ignored cve-assign (Feb 26)