aboutsummaryrefslogtreecommitdiffstats
path: root/fetchmail-SA-2009-01.txt
diff options
context:
space:
mode:
authorMatthias Andree <matthias.andree@gmx.de>2009-08-05 22:59:58 +0000
committerMatthias Andree <matthias.andree@gmx.de>2009-08-05 22:59:58 +0000
commitdefebaa488f22c77009c7dfdd38045138baa342c (patch)
tree4146af017a0ab8730f52f67b5f3b06745b433cf7 /fetchmail-SA-2009-01.txt
parentc47559dc34fd1e93c467664270ec9aef5693ba5c (diff)
downloadfetchmail-defebaa488f22c77009c7dfdd38045138baa342c.tar.gz
fetchmail-defebaa488f22c77009c7dfdd38045138baa342c.tar.bz2
fetchmail-defebaa488f22c77009c7dfdd38045138baa342c.zip
Add CVE information, clear unrelated part from patch.
svn path=/branches/BRANCH_6-3/; revision=5394
Diffstat (limited to 'fetchmail-SA-2009-01.txt')
-rw-r--r--fetchmail-SA-2009-01.txt20
1 files changed, 8 insertions, 12 deletions
diff --git a/fetchmail-SA-2009-01.txt b/fetchmail-SA-2009-01.txt
index 06b7a9c5..93622c99 100644
--- a/fetchmail-SA-2009-01.txt
+++ b/fetchmail-SA-2009-01.txt
@@ -4,18 +4,17 @@ Topics: Improper SSL certificate subject verification
Author: Matthias Andree
Version: 1.0
-Announced: 2009-08-XX
+Announced: 2009-08-06
Type: Allows undetected Man-in-the-middle attacks against SSL/TLS.
Impact: Credential disclose to eavesdroppers.
-Danger: low
-CVSS V2 vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N/E:H/RL:OF/RC:C)
+Danger: medium
+CVSSv2 vectors: (AV:N/AC:M/Au:N/C:P/I:N/A:N) (E:H/RL:OF/RC:C)
-Credits:
-CVE Name: CVE-2009-xxxx
+CVE Name: CVE-2009-2666
URL: http://www.fetchmail.info/fetchmail-SA-2009-01.txt
Project URL: http://www.fetchmail.info/
-Affects: fetchmail release before and excluding 6.3.11
+Affects: fetchmail releases up to and including 6.3.10
Not affected: fetchmail release 6.3.11 and newer
@@ -33,6 +32,7 @@ References: "Null Prefix Attacks Against SSL/TLS Certificates",
==================
2009-08-05 0.1 first draft (visible in SVN)
+2009-08-06 1.0 first release
1. Background
@@ -131,7 +131,7 @@ Index: socket.c
if (_ssl_server_cname != NULL) {
char *p1 = buf;
char *p2 = _ssl_server_cname;
-@@ -643,14 +649,21 @@
+@@ -643,11 +649,18 @@
* first find a match among alternative names */
gens = (STACK_OF(GENERAL_NAME) *)X509_get_ext_d2i(x509_cert, NID_subject_alt_name, NULL, NULL);
if (gens) {
@@ -152,10 +152,6 @@ Index: socket.c
+ return 0;
+ }
if (outlevel >= O_VERBOSE)
-- report(stderr, "Subject Alternative Name: %s\n", p1);
-+ report(stdout, GT_("Subject Alternative Name: %s\n"), p1);
- if (*p1 == '*') {
- ++p1;
- n = strlen(p2) - strlen(p1);
+ report(stderr, "Subject Alternative Name: %s\n", p1);
END OF fetchmail-SA-2009-01.txt