diff options
author | Matthias Andree <matthias.andree@gmx.de> | 2009-08-05 22:59:58 +0000 |
---|---|---|
committer | Matthias Andree <matthias.andree@gmx.de> | 2009-08-05 22:59:58 +0000 |
commit | defebaa488f22c77009c7dfdd38045138baa342c (patch) | |
tree | 4146af017a0ab8730f52f67b5f3b06745b433cf7 /fetchmail-SA-2009-01.txt | |
parent | c47559dc34fd1e93c467664270ec9aef5693ba5c (diff) | |
download | fetchmail-defebaa488f22c77009c7dfdd38045138baa342c.tar.gz fetchmail-defebaa488f22c77009c7dfdd38045138baa342c.tar.bz2 fetchmail-defebaa488f22c77009c7dfdd38045138baa342c.zip |
Add CVE information, clear unrelated part from patch.
svn path=/branches/BRANCH_6-3/; revision=5394
Diffstat (limited to 'fetchmail-SA-2009-01.txt')
-rw-r--r-- | fetchmail-SA-2009-01.txt | 20 |
1 files changed, 8 insertions, 12 deletions
diff --git a/fetchmail-SA-2009-01.txt b/fetchmail-SA-2009-01.txt index 06b7a9c5..93622c99 100644 --- a/fetchmail-SA-2009-01.txt +++ b/fetchmail-SA-2009-01.txt @@ -4,18 +4,17 @@ Topics: Improper SSL certificate subject verification Author: Matthias Andree Version: 1.0 -Announced: 2009-08-XX +Announced: 2009-08-06 Type: Allows undetected Man-in-the-middle attacks against SSL/TLS. Impact: Credential disclose to eavesdroppers. -Danger: low -CVSS V2 vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N/E:H/RL:OF/RC:C) +Danger: medium +CVSSv2 vectors: (AV:N/AC:M/Au:N/C:P/I:N/A:N) (E:H/RL:OF/RC:C) -Credits: -CVE Name: CVE-2009-xxxx +CVE Name: CVE-2009-2666 URL: http://www.fetchmail.info/fetchmail-SA-2009-01.txt Project URL: http://www.fetchmail.info/ -Affects: fetchmail release before and excluding 6.3.11 +Affects: fetchmail releases up to and including 6.3.10 Not affected: fetchmail release 6.3.11 and newer @@ -33,6 +32,7 @@ References: "Null Prefix Attacks Against SSL/TLS Certificates", ================== 2009-08-05 0.1 first draft (visible in SVN) +2009-08-06 1.0 first release 1. Background @@ -131,7 +131,7 @@ Index: socket.c if (_ssl_server_cname != NULL) { char *p1 = buf; char *p2 = _ssl_server_cname; -@@ -643,14 +649,21 @@ +@@ -643,11 +649,18 @@ * first find a match among alternative names */ gens = (STACK_OF(GENERAL_NAME) *)X509_get_ext_d2i(x509_cert, NID_subject_alt_name, NULL, NULL); if (gens) { @@ -152,10 +152,6 @@ Index: socket.c + return 0; + } if (outlevel >= O_VERBOSE) -- report(stderr, "Subject Alternative Name: %s\n", p1); -+ report(stdout, GT_("Subject Alternative Name: %s\n"), p1); - if (*p1 == '*') { - ++p1; - n = strlen(p2) - strlen(p1); + report(stderr, "Subject Alternative Name: %s\n", p1); END OF fetchmail-SA-2009-01.txt |