[Haskell-cafe] [ANN] tls-extra 0.6.1 - security update, please upgrade.
alexander.kjeldaas at gmail.com
Sun Jan 20 20:27:07 CET 2013
On Sun, Jan 20, 2013 at 6:50 AM, Vincent Hanquez <tab at snarc.org> wrote:
> Hi cafe,
> this is a security advisory for tls-extra < 0.6.1 which are all vulnerable
> to bad
> certificate validation.
> Some part of the certificate validation procedure were missing (relying on
> work-in-progress x509 v3 extensions), and because of this anyone with a
> end-entity certificate can issue certificate for any arbitrary domain, i.e.
> acting as a CA.
> This problem has been fixed in tls-extra 0.6.1, and I advise everyone to
> upgrade as
> soon as possible.
> Despite a very serious flaw in the certificate validation, I'm happy that
> code is seeing some audits, and would want to thanks Ertugrul Söylemez for
> findings .
>  https://github.com/vincenthz/hs-tls/issues/29
Regarding testing, it looks like the Tests directory hasn't been updated to
cover this bug. What would really give confidence is a set of tests
encoding fixed security vulnerabilities in OpenSSL (and similar libraries).
That should also give you a lot of confidence in your library.
But anyways, this is fantastic work you're doing. Keep it up!
> Haskell-Cafe mailing list
> Haskell-Cafe at haskell.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Haskell-Cafe