[Pkg-openssl-devel] Bug#517791: CVE-2009-0653: missing verification
Steffen Joeris
steffen.joeris at skolelinux.de
Mon Mar 2 02:20:17 UTC 2009
Package: openssl
Version: 0.9.8g-15
Severity: important
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for openssl.
CVE-2009-0653[0]:
| OpenSSL, probably 0.9.6, does not verify the Basic Constraints for an
| intermediate CA-signed certificate, which allows remote attackers to
| spoof the certificates of trusted sites via a man-in-the-middle
| attack, a related issue to CVE-2002-0970.
I wasn't really sure about this issue, so could you maybe state your
opinion on it?
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
Cheers
Steffen
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0653
http://security-tracker.debian.net/tracker/CVE-2009-0653
More information about the Pkg-openssl-devel
mailing list