oss-sec mailing list archives
CVE request: libinfinity did not correctly check certificates for validity
From: Philipp Kern <pkern () debian org>
Date: Tue, 12 May 2015 08:44:06 +0200
Hi, Debian bug #783601[1] reported that Gobby - a collaborative text editor - silently accepted expired certificates. The upstream bug report is [2]. The bug is actually in libinfinity and the fix is available on [2]. libinfinity does support certificate pinning and hence contains the ability to disable some checks like trusted issuer and hostname verification. However the catch-all validity check was in the wrong location. Please assign a CVE ID for this. Kind regards and thanks Philipp Kern [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=783601 [2] https://github.com/gobby/gobby/issues/61 [3] https://github.com/gobby/libinfinity/commit/c97f870f5ae13112988d9f8ad464b4f679903706
Attachment:
signature.asc
Description: Digital signature
Current thread:
- CVE request: libinfinity did not correctly check certificates for validity Philipp Kern (May 12)
- Re: CVE request: libinfinity did not correctly check certificates for validity Philipp Kern (May 13)