On Sun, Jan 20, 2013 at 08:27:07PM +0100, Alexander Kjeldaas wrote:
> Regarding testing, it looks like the Tests directory hasn't been updated to
> cover this bug. What would really give confidence is a set of tests
> encoding fixed security vulnerabilities in OpenSSL (and similar libraries).
> T
Hi,
Am Sonntag, den 20.01.2013, 17:21 +0100 schrieb Vincent Hanquez:
> On Sun, Jan 20, 2013 at 11:01:22AM +0100, Joachim Breitner wrote:
> > Debian ships tls-extras 0.4.6 in what will become wheezy, and due to the
> > freeze upgrading to a new major upstream release is not acceptable.
>
> > Wou
On Sun, Jan 20, 2013 at 6:50 AM, Vincent Hanquez wrote:
> Hi cafe,
>
> this is a security advisory for tls-extra < 0.6.1 which are all vulnerable
> to bad
> certificate validation.
>
> Some part of the certificate validation procedure were missing (relying on
> the
> work-in-progress x509 v3 exte
On Sun, Jan 20, 2013 at 11:01:22AM +0100, Joachim Breitner wrote:
> Debian ships tls-extras 0.4.6 in what will become wheezy, and due to the
> freeze upgrading to a new major upstream release is not acceptable.
> Would it be possible for you to create a 0.4.6.1 with this bugfix
> included?
(wow
Hi,
Am Sonntag, den 20.01.2013, 06:50 +0100 schrieb Vincent Hanquez:
> this is a security advisory for tls-extra < 0.6.1 which are all vulnerable to
> bad
> certificate validation.
>
> Some part of the certificate validation procedure were missing (relying on the
> work-in-progress x509 v3 exten
Hi cafe,
this is a security advisory for tls-extra < 0.6.1 which are all vulnerable to
bad
certificate validation.
Some part of the certificate validation procedure were missing (relying on the
work-in-progress x509 v3 extensions), and because of this anyone with a correct
end-entity certificate
