We sent email to [email protected] and got the following response, but we don't agree that this is an intentionally made.
This patch appears to be outside the scope of CVE. For issues of this type, the scope of CVE is limited to unintentional implementation mistakes. Here, the vendor intentionally did not do a hostname check because (quoting http://bugs.exim.org/show_bug.cgi?id=1479#c2) "Exim is an MTA, there has been no sane approach to determining a hostname suitable for verification of certificate identity." The vendor went on to implement a useful security enhancement in response to your report. This is a very good outcome, but security enhancements are not assigned CVE-IDs. ** Bug watch added: bugs.exim.org/ #1479 http://bugs.exim.org/show_bug.cgi?id=1479 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1384232 Title: Certificate hostname verification fix To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/exim4/+bug/1384232/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
