CVE request: libinfinity did not correctly check certificates for validity

[Philipp Kern <pkern () debian org>]

Hi,

Debian bug #783601[1] reported that Gobby - a collaborative text editor
- silently accepted expired certificates. The upstream bug report is
[2]. The bug is actually in libinfinity and the fix is available on [2].

libinfinity does support certificate pinning and hence contains the
ability to disable some checks like trusted issuer and hostname
verification. However the catch-all validity check was in the wrong
location.

Please assign a CVE ID for this.

Kind regards and thanks
Philipp Kern

[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=783601
[2] https://github.com/gobby/gobby/issues/61
[3] https://github.com/gobby/libinfinity/commit/c97f870f5ae13112988d9f8ad464b4f679903706

Attachment: signature.asc
Description: Digital signature