oss-sec mailing list archives
Re: CVE request: libinfinity did not correctly check certificates for validity
From: Philipp Kern <pkern () debian org>
Date: Wed, 13 May 2015 18:43:24 +0200
[Adding MITRE's cve-assign alias to the Cc] On 2015-05-12 08:44, Philipp Kern wrote:
Debian bug #783601[1] reported that Gobby - a collaborative text editor - silently accepted expired certificates. The upstream bug report is[2]. The bug is actually in libinfinity and the fix is available on [2].libinfinity does support certificate pinning and hence contains the ability to disable some checks like trusted issuer and hostname verification. However the catch-all validity check was in the wrong location. Please assign a CVE ID for this. Kind regards and thanks Philipp Kern [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=783601 [2] https://github.com/gobby/gobby/issues/61 [3] https://github.com/gobby/libinfinity/commit/c97f870f5ae13112988d9f8ad464b4f679903706
Current thread:
- CVE request: libinfinity did not correctly check certificates for validity Philipp Kern (May 12)
- Re: CVE request: libinfinity did not correctly check certificates for validity Philipp Kern (May 13)