Re: [oss-security] Re: CVE request: irssi 0.8.15

From: Jamie Strandboge <jamie_at_nospam>
Date: Sat Apr 17 2010 - 21:37:59 GMT
To: Wouter Coekaerts <coekie@irssi.org>

FYI,

I backported the following svn commits to 0.8.14 for the SSL issue:
r5104:
  Check if an SSL certificate matches the hostname of the server we are
  connecting to
r5107:
  Use one SSL_CTX per connection, use default trusted CAs if nothing
  specified. This allows useful use of -ssl_verify without
  -ssl_cafile/-ssl_capath, using OpenSSL's default trusted CAs.
r5108:
  Call OpenSSL_add_all_algorithms(), may be needed to verify SHA256
  certs with certain versions of OpenSSL.
r5116:
  network-openssl: Show why a certificate failed validation.
r5136
  Do not use SSLv2 protocol. From Bazerka.

However, after rolling it out Steve Langasek discovered a bug when
connecting to an SSL irc proxy server[1]. His patch (attached) adjusts
it so when we have a proxy setting, expect the CN to match the proxy
hostname, not the server hostname

[1] https://bugs.launchpad.net/ubuntu/+source/irssi/+bug/565182

-- Jamie Strandboge | http://www.canonical.com

This message: [ Message body ]
Next message: Michael Gilbert: "Re: [oss-security] kernel: hvc_console: Fix race between hvc_close and hvc_remove"
Previous message: Josh Bressers: "Re: [oss-security] CVE Request: JIRA Issues"
In reply to: Wouter Coekaerts: "[oss-security] Re: CVE request: irssi 0.8.15"
Next in thread: Wouter Coekaerts: "Re: [oss-security] Re: CVE request: irssi 0.8.15"
Reply: Wouter Coekaerts: "Re: [oss-security] Re: CVE request: irssi 0.8.15"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]