For hs-tls (TLS/SSL implementation in haskell) it was announced the following
advisory[0]:
----cut---------cut---------cut---------cut---------cut---------cut-----
Hi cafe,
this is a security advisory for tls-extra < 0.6.1 which are all vulnerable to bad
certificate validation.
Some part of the certificate validation procedure were missing (relying on the
work-in-progress x509 v3 extensions), and because of this anyone with a correct
end-entity certificate can issue certificate for any arbitrary domain, i.e.
acting as a CA.
This problem has been fixed in tls-extra 0.6.1, and I advise everyone to upgrade as
soon as possible.
Despite a very serious flaw in the certificate validation, I'm happy that the
code is seeing some audits, and would want to thanks Ertugrul Söylemez for the
findings [1].
[1] https://github.com/vincenthz/hs-tls/issues/29
----cut---------cut---------cut---------cut---------cut---------cut-----
According to the upstream issue it should be fixed with commit [2].
[0]: http://www.haskell.org/pipermail/haskell-cafe/2013-January/105842.html
[2]: https://github.com/vincenthz/hs-tls/commit/15885c0649ceabd2f4d2913df8ac6dc63d6b3b37
Could a CVE for this issue be assigned?
Regards,
Salvatore Bonaccorso
carnil@debian org
//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information