*** This bug is a security vulnerability *** Public security bug reported:
Recently, we are trying to find SSL security problems by static analysis. For example, as we all know, Hostname verification is an important step when verifying X509 certificates, however, people tend to miss the step or to misunderstand the APIs when using SSL/TLS, which might cause severe man in the middle attack and break the entire TLS mechanism. And static analysis is a way of finding whether the APIs are called correctly. Now, we find some SSL problems in aiccu, the following is details: 1. "/aiccu-20070115/common/common.c Certificate verification missing Still vulnerable in Ubunutu 14.04 http://bazaar.launchpad.net/~ubuntu-branches/ubuntu/trusty/aiccu/trusty/view/head:/common/common.c"; 2. "/aiccu-20070115/common/common.c Host name verification missing Still vulnerable in Ubunutu 14.04 http://bazaar.launchpad.net/~ubuntu-branches/ubuntu/trusty/aiccu/trusty/view/head:/common/common.c"; PS: for more information, you can see the paper: http://people.stfx.ca/x2011/x2011ucj/SSL/p38-georgiev.pdf and more details you can contact with us, my email : rainkin1...@gmail.com Thanks. ** Affects: aiccu (Ubuntu) Importance: Undecided Status: New ** Information type changed from Private Security to Public ** Information type changed from Public to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1380022 Title: aiccu's SSL connection is not secure To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/aiccu/+bug/1380022/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
