oss-sec mailing list archives

Re: Another Python app (rhn-setup: rhnreg_ks) not checking hostnames in certs properly CVE-2015-1777

From: Michael Samuel <mik () miknet net>
Date: Thu, 12 Mar 2015 10:44:58 +1100

On 12 March 2015 at 02:48, Kurt Seifried <kseifried () redhat com> wrote:

Much like /tmp issues the solution that will save us is not to fix every
/tmp issue but rather do more intelligent things like poly instantiated
tmp or systemd per process tmp. Sadly I don't see such an easy
possibility with TLS/SSL, but if we have a decent test
framework/reproduction ability it will make finding, fixing and
verifying these things a whole lot easier long term.


You can test for the common bugs extremely easily - you need two types of
bogus certificate installed on the server:
- A completely untrusted (eg. self-signed) certificate
- A certificate signed by a trusted authority but for the wrong hostname

It's not too hard to test SSH connections in a similar manner (just regen the
ssh host keys after the first connection).

Alternatively, you could make your OpenSSL modules for various languages
return client ctxs that verify by default - the topic of this discussion :)

Regards,
  Michael

Current thread:

Re: Another Python app (rhn-setup: rhnreg_ks) not checking hostnames in certs properly CVE-2015-1777, (continued)
- - - Re: Another Python app (rhn-setup: rhnreg_ks) not checking hostnames in certs properly CVE-2015-1777 Michael Samuel (Mar 10)
    - Re: PEP-466 common compatible implementation. (was ... CVE-2015-1777) John Haxby (Mar 10)
    - Re: Another Python app (rhn-setup: rhnreg_ks) not checking hostnames in certs properly CVE-2015-1777 Kurt Seifried (Mar 10)
    - Re: Another Python app (rhn-setup: rhnreg_ks) not checking hostnames in certs properly CVE-2015-1777 John Haxby (Mar 10)
    - Re: Another Python app (rhn-setup: rhnreg_ks) not checking hostnames in certs properly CVE-2015-1777 John Haxby (Mar 10)
    - Re: Another Python app (rhn-setup: rhnreg_ks) not checking hostnames in certs properly CVE-2015-1777 Michael Samuel (Mar 10)
    - Re: Another Python app (rhn-setup: rhnreg_ks) not checking hostnames in certs properly CVE-2015-1777 Kurt Seifried (Mar 11)
    - Re: Another Python app (rhn-setup: rhnreg_ks) not checking hostnames in certs properly CVE-2015-1777 John Haxby (Mar 11)
    - Re: Another Python app (rhn-setup: rhnreg_ks) not checking hostnames in certs properly CVE-2015-1777 Kurt Seifried (Mar 11)
    - Re: Another Python app (rhn-setup: rhnreg_ks) not checking hostnames in certs properly CVE-2015-1777 Donald Stufft (Mar 11)
    - Re: Another Python app (rhn-setup: rhnreg_ks) not checking hostnames in certs properly CVE-2015-1777 Michael Samuel (Mar 11)
    - Re: Another Python app (rhn-setup: rhnreg_ks) not checking hostnames in certs properly CVE-2015-1777 Kurt Seifried (Mar 11)
    - Re: Another Python app (rhn-setup: rhnreg_ks) not checking hostnames in certs properly CVE-2015-1777 Michael Samuel (Mar 11)
    - Re: Another Python app (rhn-setup: rhnreg_ks) not checking hostnames in certs properly CVE-2015-1777 Kurt Seifried (Mar 11)
    - Re: Another Python app (rhn-setup: rhnreg_ks) not checking hostnames in certs properly CVE-2015-1777 Michael Samuel (Mar 11)
    - Re: Another Python app (rhn-setup: rhnreg_ks) not checking hostnames in certs properly CVE-2015-1777 Tomas Hoger (Mar 05)