[Haskell-cafe] [ANN] tls-extra 0.6.1 - security update, please upgrade.
Joachim Breitner
nomeata at debian.org
Sun Jan 20 11:01:22 CET 2013
Hi,
Am Sonntag, den 20.01.2013, 06:50 +0100 schrieb Vincent Hanquez:
> this is a security advisory for tls-extra < 0.6.1 which are all vulnerable to bad
> certificate validation.
>
> Some part of the certificate validation procedure were missing (relying on the
> work-in-progress x509 v3 extensions), and because of this anyone with a correct
> end-entity certificate can issue certificate for any arbitrary domain, i.e.
> acting as a CA.
>
> This problem has been fixed in tls-extra 0.6.1, and I advise everyone to upgrade as
> soon as possible.
>
> Despite a very serious flaw in the certificate validation, I'm happy that the
> code is seeing some audits, and would want to thanks Ertugrul Söylemez for the
> findings [1].
Debian ships tls-extras 0.4.6 in what will become wheezy, and due to the
freeze upgrading to a new major upstream release is not acceptable.
Would it be possible for you to create a 0.4.6.1 with this bugfix
included?
Thanks a lot,
Joachim
--
Joachim "nomeata" Breitner
Debian Developer
nomeata at debian.org | ICQ# 74513189 | GPG-Keyid: 4743206C
JID: nomeata at joachim-breitner.de | http://people.debian.org/~nomeata
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://www.haskell.org/pipermail/haskell-cafe/attachments/20130120/2127b38b/attachment.pgp>
More information about the Haskell-Cafe
mailing list