[Haskell-cafe] [ANN] tls-extra 0.6.1 - security update, please upgrade.
nomeata at debian.org
Sun Jan 20 11:01:22 CET 2013
Am Sonntag, den 20.01.2013, 06:50 +0100 schrieb Vincent Hanquez:
> this is a security advisory for tls-extra < 0.6.1 which are all vulnerable to bad
> certificate validation.
> Some part of the certificate validation procedure were missing (relying on the
> work-in-progress x509 v3 extensions), and because of this anyone with a correct
> end-entity certificate can issue certificate for any arbitrary domain, i.e.
> acting as a CA.
> This problem has been fixed in tls-extra 0.6.1, and I advise everyone to upgrade as
> soon as possible.
> Despite a very serious flaw in the certificate validation, I'm happy that the
> code is seeing some audits, and would want to thanks Ertugrul Söylemez for the
> findings .
Debian ships tls-extras 0.4.6 in what will become wheezy, and due to the
freeze upgrading to a new major upstream release is not acceptable.
Would it be possible for you to create a 0.4.6.1 with this bugfix
Thanks a lot,
Joachim "nomeata" Breitner
nomeata at debian.org | ICQ# 74513189 | GPG-Keyid: 4743206C
JID: nomeata at joachim-breitner.de | http://people.debian.org/~nomeata
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 198 bytes
Desc: This is a digitally signed message part
More information about the Haskell-Cafe