The cosign development team has released cosign 3.1.3. This release is a security update.
The cosign development team has identified a flaw in the handling of regular expression matching in the cosign.conf file, affecting all cosign 3.x releases. As a result of this flaw, cosignd may allow a client to connect by matching against a substring of the certificate Common Name (CN) presented by a client. Exploitation of the vulnerability requires guessing a value in the cosign.conf, knowledge of and access to a certificate authority trusted by the cosign daemon, and a specially crafted certificate issued by such a CA. The cosign development team has rated this vulnerability moderate. All weblogin administrators should immediately place regular expression anchors on the cgi pattern in the cosign.conf, e.g.: cgi weblogin-cgi should become: cgi ^weblogin-cgi$ Restart the cosign daemon (cosignd) on each weblogin server in your pool after making this change. After taking these steps, your deployment will no longer be exposed. Further details of the vulnerability can be found at: http://cosign.sourceforge.net/cosign-vuln-2011-001.txt Organizations maintaining cosign weblogin servers are encouraged to update to cosign 3.1.3 immediately, apply the workaround described above, or backport the patch linked below. [1] Download: <http://sourceforge.net/projects/cosign/files/cosign/cosign-3.1.3/cosign-3.1.3.tar.gz/download> * SHA256(cosign-3.1.3.tar.gz)= 3eae54c03a61545b9180374a677179efc1273babaf78907ead3d16c353dbccab * SHA1(cosign-3.1.3.tar.gz)= bccb5b43f8cabf1df2d8508c10bfb2f22354ae24 * RIPEMD160(cosign-3.1.3.tar.gz)= 077740b6b1f651da3ee98f5e455c200dea82f143 git://cosign.git.sourceforge.net/gitroot/cosign/cosign Tag: cosign-3.1.3, GPG-signed with key ID 1FB01F5D. Changes from 3.1.2: common: Apply implicit anchoring to all regular expression matching. More Info: http://sourceforge.net/projects/cosign/ http://weblogin.org/ Feel free to contact me with questions or concerns. Please continue to report bugs, submit patches and request features on the SF.net tracker. Thanks for your support of Cosign. andrew [1] <http://cosign.sourceforge.net/patches/cosign-vuln-2011-001.patch> ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-novd2d _______________________________________________ Cosign-discuss mailing list Cosign-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/cosign-discuss
