[Haskell-cafe] [ANN] tls-extra 0.6.1 - security update, please upgrade.

Joachim Breitner nomeata at debian.org
Sun Jan 20 11:01:22 CET 2013


Am Sonntag, den 20.01.2013, 06:50 +0100 schrieb Vincent Hanquez:
> this is a security advisory for tls-extra < 0.6.1 which are all vulnerable to bad
> certificate validation.
> Some part of the certificate validation procedure were missing (relying on the
> work-in-progress x509 v3 extensions), and because of this anyone with a correct
> end-entity certificate can issue certificate for any arbitrary domain, i.e.
> acting as a CA.
> This problem has been fixed in tls-extra 0.6.1, and I advise everyone to upgrade as
> soon as possible.
> Despite a very serious flaw in the certificate validation, I'm happy that the
> code is seeing some audits, and would want to thanks Ertugrul Söylemez for the
> findings [1].

Debian ships tls-extras 0.4.6 in what will become wheezy, and due to the
freeze upgrading to a new major upstream release is not acceptable. 

Would it be possible for you to create a with this bugfix

Thanks a lot,

Joachim "nomeata" Breitner
Debian Developer
  nomeata at debian.org | ICQ# 74513189 | GPG-Keyid: 4743206C
  JID: nomeata at joachim-breitner.de | http://people.debian.org/~nomeata
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://www.haskell.org/pipermail/haskell-cafe/attachments/20130120/2127b38b/attachment.pgp>

More information about the Haskell-Cafe mailing list