Re: [Haskell-cafe] [ANN] tls-extra 0.6.1 - security update, please upgrade.

2013-01-21 Thread Vincent Hanquez
On Sun, Jan 20, 2013 at 08:27:07PM +0100, Alexander Kjeldaas wrote: > Regarding testing, it looks like the Tests directory hasn't been updated to > cover this bug. What would really give confidence is a set of tests > encoding fixed security vulnerabilities in OpenSSL (and similar libraries). > T

Re: [Haskell-cafe] [ANN] tls-extra 0.6.1 - security update, please upgrade.

2013-01-21 Thread Joachim Breitner
Hi, Am Sonntag, den 20.01.2013, 17:21 +0100 schrieb Vincent Hanquez: > On Sun, Jan 20, 2013 at 11:01:22AM +0100, Joachim Breitner wrote: > > Debian ships tls-extras 0.4.6 in what will become wheezy, and due to the > > freeze upgrading to a new major upstream release is not acceptable. > > > Wou

Re: [Haskell-cafe] [ANN] tls-extra 0.6.1 - security update, please upgrade.

2013-01-20 Thread Alexander Kjeldaas
On Sun, Jan 20, 2013 at 6:50 AM, Vincent Hanquez wrote: > Hi cafe, > > this is a security advisory for tls-extra < 0.6.1 which are all vulnerable > to bad > certificate validation. > > Some part of the certificate validation procedure were missing (relying on > the > work-in-progress x509 v3 exte

Re: [Haskell-cafe] [ANN] tls-extra 0.6.1 - security update, please upgrade.

2013-01-20 Thread Vincent Hanquez
On Sun, Jan 20, 2013 at 11:01:22AM +0100, Joachim Breitner wrote: > Debian ships tls-extras 0.4.6 in what will become wheezy, and due to the > freeze upgrading to a new major upstream release is not acceptable. > Would it be possible for you to create a 0.4.6.1 with this bugfix > included? (wow

Re: [Haskell-cafe] [ANN] tls-extra 0.6.1 - security update, please upgrade.

2013-01-20 Thread Joachim Breitner
Hi, Am Sonntag, den 20.01.2013, 06:50 +0100 schrieb Vincent Hanquez: > this is a security advisory for tls-extra < 0.6.1 which are all vulnerable to > bad > certificate validation. > > Some part of the certificate validation procedure were missing (relying on the > work-in-progress x509 v3 exten

[Haskell-cafe] [ANN] tls-extra 0.6.1 - security update, please upgrade.

2013-01-19 Thread Vincent Hanquez
Hi cafe, this is a security advisory for tls-extra < 0.6.1 which are all vulnerable to bad certificate validation. Some part of the certificate validation procedure were missing (relying on the work-in-progress x509 v3 extensions), and because of this anyone with a correct end-entity certificate