oss-sec mailing list archives

Re: CVE Request: mod-gnutls: GnuTLSClientVerify require is ignored

From: Sébastien Delafond <seb () debian org>
Date: Mon, 23 Feb 2015 12:52:21 +0000 (UTC)

On 2015-02-22, Sébastien Delafond <seb () debian org> wrote:


Hi,

mod-gnutls doesn't consider the server's client verify mode, even if the
verify mode was unset in the directory configuration. As a result,
invalid certificates are ignored and clients can connect and receive
data as long as they presented any certificate whatsoever.

  Debian bug: https://bugs.debian.org/578663
  Patch and detailed description: 
https://github.com/airtower-luna/mod_gnutls/commit/5a8a32bbfb8a83fe6358c5c31c443325a7775fc2

Could you please assign a CVE for this issue ?


Explicitely adding cve-assign to Cc.

Cheers,

--Seb

Current thread:

CVE Request: mod-gnutls: GnuTLSClientVerify require is ignored Sébastien Delafond (Feb 22)
- Re: CVE Request: mod-gnutls: GnuTLSClientVerify require is ignored Sébastien Delafond (Feb 23)
- Re: CVE Request: mod-gnutls: GnuTLSClientVerify require is ignored cve-assign (Feb 25)
  - Re: CVE Request: mod-gnutls: GnuTLSClientVerify require is ignored Sébastien Delafond (Feb 26)
- Re: CVE Request: mod-gnutls: GnuTLSClientVerify require is ignored cve-assign (Feb 26)