[Haskell-cafe] [ANN] tls-extra 0.6.1 - security update, please upgrade.
tab at snarc.org
Sun Jan 20 06:50:16 CET 2013
this is a security advisory for tls-extra < 0.6.1 which are all vulnerable to bad
Some part of the certificate validation procedure were missing (relying on the
work-in-progress x509 v3 extensions), and because of this anyone with a correct
end-entity certificate can issue certificate for any arbitrary domain, i.e.
acting as a CA.
This problem has been fixed in tls-extra 0.6.1, and I advise everyone to upgrade as
soon as possible.
Despite a very serious flaw in the certificate validation, I'm happy that the
code is seeing some audits, and would want to thanks Ertugrul Söylemez for the
More information about the Haskell-Cafe