oss-sec mailing list archives
Re: CVE Request: mod-gnutls: GnuTLSClientVerify require is ignored
From: Sébastien Delafond <sdelafond () gmail com>
Date: Thu, 26 Feb 2015 10:22:57 +0000 (UTC)
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=578663#10 is apparently about ignoring GnuTLSClientVerify when this directive is present only in a server config context.
This is the issue at hand, yes.
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=578663#10 is apparently discussing the 2009 bug when saying "This bug still exists in current stable and unstable packages" but perhaps is actually referring to a remaining issue that exists because of an incomplete fix for the 2009 bug.
Correct.
The various discussion of "when I browse site2 in IE, it shows me the certificate of site1" and "it seems curl extension of php also can't correctly connect" in http://issues.outoforder.cc/view.php?id=93#c187 is possibly a user error and not a valid third vulnerability report.
Agreed.
So, are you looking for: one CVE-2009-#### ID -- vulnerability involving the directory context one CVE-2015-#### ID -- vulnerability involving the server config context
The latter; this issue is definitely about the server config context being ignored. Cheers, --Seb
Current thread:
- CVE Request: mod-gnutls: GnuTLSClientVerify require is ignored Sébastien Delafond (Feb 22)
- Re: CVE Request: mod-gnutls: GnuTLSClientVerify require is ignored Sébastien Delafond (Feb 23)
- Re: CVE Request: mod-gnutls: GnuTLSClientVerify require is ignored cve-assign (Feb 25)
- Re: CVE Request: mod-gnutls: GnuTLSClientVerify require is ignored Sébastien Delafond (Feb 26)
- Re: CVE Request: mod-gnutls: GnuTLSClientVerify require is ignored cve-assign (Feb 26)