Your message dated Mon, 14 Nov 2016 12:46:08 +0000
with message-id <[email protected]>
and subject line Bug#843478: Removed package(s) from unstable
has caused the Debian Bug report #797470,
regarding dnsval: val_dane_check: usage DANE-TA(2) may bypass cert validation
entirely
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
797470: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=797470
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: dnsval
Version: 2.0-1.1
Severity: grave
Tags: security upstream
Justification: user security hole
Dear Maintainer,
With the version 2.0 of the libval library, val_dane_check() completely fails
to verify the certificate and always returns a success status when used with
the DANE-TA(2) usage. An unsuspecting application using libval 2.0 could be
tricked into trusting any certificate that is provided.
For example, with the DNS record:
example.net. IN TLSA 2 0 1 aaaaa
val_dane_check() assumes that "aaaaa" is a valid DER-encoded certificate, and
passes it without validation to OpenSSL as a trusted anchor certificate. After
that, any certificate is accepted by SSL_get_verify_result() (as seen in
libval.c, lines 768 to 784).
Please note that I did not find any CVE nor upstream bug report regarding this
issue, and the library is still considered as experimental by its authors. The
bug has already been reported in May 2013 on the IETF DANE Working Group
mailing list by Viktor Dukhovni and acknowledged by Suresh Krishnaswamy
(libval's developper):
https://mailarchive.ietf.org/arch/msg/dane/QySBNeQevpD3gZCLJp1ohqPpaxc
I have only partially tested the version 2.1 of libval (which is in the
experimental depot), but could not reproduce the same issue. In addition, the
code was completely rewritten and the logical flow modified, so the 2.1 API is
incompatible with version 2.0.
-- System Information:
Debian Release: 8.1
APT prefers stable
APT policy: (990, 'stable'), (500, 'stable-updates')
Architecture: amd64 (x86_64)
--- End Message ---
--- Begin Message ---
Version: 2.2-4+rm
Dear submitter,
as the package dnsval has just been removed from the Debian archive
unstable we hereby close the associated bug reports. We are sorry
that we couldn't deal with your issue properly.
For details on the removal, please see https://bugs.debian.org/843478
The version of this package that was in Debian prior to this removal
can still be found using http://snapshot.debian.org/.
This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
[email protected].
Debian distribution maintenance software
pp.
Scott Kitterman (the ftpmaster behind the curtain)
--- End Message ---
