Summary: | <www-client/w3m-0.5.2-r4 SSL spoofing vulnerability (CVE-2010-2074) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Stefan Behte (RETIRED) <craig> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | ||
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.openwall.com/lists/oss-security/2010/06/14/4 | ||
Whiteboard: | B3 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Stefan Behte (RETIRED)
2010-06-24 23:22:18 UTC
Sorry about #296051. So, can we stabilize w3m-0.5.2-r4? Sure. Please mark stable =www-client/w3m-0.5.2-r4. FYI w3m-0.5.2-r2.ebuild:KEYWORDS="alpha amd64 ia64 ppc ppc64 sparc x86" w3m-0.5.2-r4.ebuild:KEYWORDS="~alpha ~amd64 ~ia64 ~ppc ~ppc64 ~sparc ~x86" x86 stable amd64 stable CVE-2010-2074 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2074): istream.c in w3m 0.5.2 and possibly other versions, when ssl_verify_server is enabled, does not properly handle a '\0' character in a domain name in the (1) subject's Common Name or (2) Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408. alpha/ia64/sparc stable ppc64 done Stable for PPC. glsa request filed. Nothing to do left as cjk. Removing CC. This issue was resolved and addressed in GLSA 201210-01 at http://security.gentoo.org/glsa/glsa-201210-01.xml by GLSA coordinator Stefan Behte (craig). |