Re: CVE request: libinfinity did not correctly check certificates for validity

[Philipp Kern <pkern () debian org>]

[Adding MITRE's cve-assign alias to the Cc]

On 2015-05-12 08:44, Philipp Kern wrote:
> Debian bug #783601[1] reported that Gobby - a collaborative text editor
> - silently accepted expired certificates. The upstream bug report is
> [2]. The bug is actually in libinfinity and the fix is available on 
> [2].
>
> libinfinity does support certificate pinning and hence contains the
> ability to disable some checks like trusted issuer and hostname
> verification. However the catch-all validity check was in the wrong
> location.
>
> Please assign a CVE ID for this.
>
> Kind regards and thanks
> Philipp Kern
>
> [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=783601
> [2] https://github.com/gobby/gobby/issues/61
> [3]
> https://github.com/gobby/libinfinity/commit/c97f870f5ae13112988d9f8ad464b4f679903706