Re: [Haskell-cafe] [ANN] tls-extra 0.6.1 - security update, please upgrade.
Hi, Am Sonntag, den 20.01.2013, 17:21 +0100 schrieb Vincent Hanquez: On Sun, Jan 20, 2013 at 11:01:22AM +0100, Joachim Breitner wrote: Debian ships tls-extras 0.4.6 in what will become wheezy, and due to the freeze upgrading to a new major upstream release is not acceptable. Would it be possible for you to create a 0.4.6.1 with this bugfix included? (wow, the tls packages stack are quite obsolete) Apart from the fact that it took me a while to rebase to this version, I just uploaded 0.4.6.1. it compiles but got minimal testing. thanks, uploaded to Debian and on its way into the wheezy suite. Greetings, Joachim -- Joachim nomeata Breitner Debian Developer nome...@debian.org | ICQ# 74513189 | GPG-Keyid: 4743206C JID: nome...@joachim-breitner.de | http://people.debian.org/~nomeata signature.asc Description: This is a digitally signed message part ___ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe
Re: [Haskell-cafe] [ANN] tls-extra 0.6.1 - security update, please upgrade.
On Sun, Jan 20, 2013 at 08:27:07PM +0100, Alexander Kjeldaas wrote: Regarding testing, it looks like the Tests directory hasn't been updated to cover this bug. What would really give confidence is a set of tests encoding fixed security vulnerabilities in OpenSSL (and similar libraries). That should also give you a lot of confidence in your library. But anyways, this is fantastic work you're doing. Keep it up! Thanks, Regarding tests, a good test suite is a hard and long job. Some security properties are just insanely hard to codify, and some others need a lots of tests. My time being very limited, it's hard to pull off, but i have plan to add some tests for the certificate validation functions. Specially since i want to harden some functions a bit more, and it will come handy to verify i'm not breaking anything :-) -- Vincent ___ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe
Re: [Haskell-cafe] [ANN] tls-extra 0.6.1 - security update, please upgrade.
Hi, Am Sonntag, den 20.01.2013, 06:50 +0100 schrieb Vincent Hanquez: this is a security advisory for tls-extra 0.6.1 which are all vulnerable to bad certificate validation. Some part of the certificate validation procedure were missing (relying on the work-in-progress x509 v3 extensions), and because of this anyone with a correct end-entity certificate can issue certificate for any arbitrary domain, i.e. acting as a CA. This problem has been fixed in tls-extra 0.6.1, and I advise everyone to upgrade as soon as possible. Despite a very serious flaw in the certificate validation, I'm happy that the code is seeing some audits, and would want to thanks Ertugrul Söylemez for the findings [1]. Debian ships tls-extras 0.4.6 in what will become wheezy, and due to the freeze upgrading to a new major upstream release is not acceptable. Would it be possible for you to create a 0.4.6.1 with this bugfix included? Thanks a lot, Joachim -- Joachim nomeata Breitner Debian Developer nome...@debian.org | ICQ# 74513189 | GPG-Keyid: 4743206C JID: nome...@joachim-breitner.de | http://people.debian.org/~nomeata signature.asc Description: This is a digitally signed message part ___ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe
Re: [Haskell-cafe] [ANN] tls-extra 0.6.1 - security update, please upgrade.
On Sun, Jan 20, 2013 at 11:01:22AM +0100, Joachim Breitner wrote: Debian ships tls-extras 0.4.6 in what will become wheezy, and due to the freeze upgrading to a new major upstream release is not acceptable. Would it be possible for you to create a 0.4.6.1 with this bugfix included? (wow, the tls packages stack are quite obsolete) Apart from the fact that it took me a while to rebase to this version, I just uploaded 0.4.6.1. it compiles but got minimal testing. -- Vincent ___ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe
Re: [Haskell-cafe] [ANN] tls-extra 0.6.1 - security update, please upgrade.
On Sun, Jan 20, 2013 at 6:50 AM, Vincent Hanquez t...@snarc.org wrote: Hi cafe, this is a security advisory for tls-extra 0.6.1 which are all vulnerable to bad certificate validation. Some part of the certificate validation procedure were missing (relying on the work-in-progress x509 v3 extensions), and because of this anyone with a correct end-entity certificate can issue certificate for any arbitrary domain, i.e. acting as a CA. This problem has been fixed in tls-extra 0.6.1, and I advise everyone to upgrade as soon as possible. Despite a very serious flaw in the certificate validation, I'm happy that the code is seeing some audits, and would want to thanks Ertugrul Söylemez for the findings [1]. [1] https://github.com/vincenthz/hs-tls/issues/29 Regarding testing, it looks like the Tests directory hasn't been updated to cover this bug. What would really give confidence is a set of tests encoding fixed security vulnerabilities in OpenSSL (and similar libraries). That should also give you a lot of confidence in your library. But anyways, this is fantastic work you're doing. Keep it up! Alexander -- Vincent ___ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe ___ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe
[Haskell-cafe] [ANN] tls-extra 0.6.1 - security update, please upgrade.
Hi cafe, this is a security advisory for tls-extra 0.6.1 which are all vulnerable to bad certificate validation. Some part of the certificate validation procedure were missing (relying on the work-in-progress x509 v3 extensions), and because of this anyone with a correct end-entity certificate can issue certificate for any arbitrary domain, i.e. acting as a CA. This problem has been fixed in tls-extra 0.6.1, and I advise everyone to upgrade as soon as possible. Despite a very serious flaw in the certificate validation, I'm happy that the code is seeing some audits, and would want to thanks Ertugrul Söylemez for the findings [1]. [1] https://github.com/vincenthz/hs-tls/issues/29 -- Vincent ___ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe
