oss-sec mailing list archives

Re: CVE Request: mod-gnutls: GnuTLSClientVerify require is ignored

From: Sébastien Delafond <sdelafond () gmail com>
Date: Thu, 26 Feb 2015 10:22:57 +0000 (UTC)

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=578663#10 is
apparently about ignoring GnuTLSClientVerify when this directive is
present only in a server config context.


This is the issue at hand, yes.

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=578663#10 is
apparently discussing the 2009 bug when saying "This bug still
exists in current stable and unstable packages" but perhaps is
actually referring to a remaining issue that exists because of an
incomplete fix for the 2009 bug.


Correct.

The various discussion of "when I browse site2 in IE, it shows me
the certificate of site1" and "it seems curl extension of php also
can't correctly connect" in
http://issues.outoforder.cc/view.php?id=93#c187 is possibly a user
error and not a valid third vulnerability report.


Agreed.

So, are you looking for:

  one CVE-2009-#### ID  -- vulnerability involving the directory context

  one CVE-2015-#### ID  -- vulnerability involving the server config context


The latter; this issue is definitely about the server config context
being ignored.

Cheers,

--Seb

Current thread:

CVE Request: mod-gnutls: GnuTLSClientVerify require is ignored Sébastien Delafond (Feb 22)
- Re: CVE Request: mod-gnutls: GnuTLSClientVerify require is ignored Sébastien Delafond (Feb 23)
- Re: CVE Request: mod-gnutls: GnuTLSClientVerify require is ignored cve-assign (Feb 25)
  - Re: CVE Request: mod-gnutls: GnuTLSClientVerify require is ignored Sébastien Delafond (Feb 26)
- Re: CVE Request: mod-gnutls: GnuTLSClientVerify require is ignored cve-assign (Feb 26)