Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 325431 (CVE-2010-2074) - <www-client/w3m-0.5.2-r4 SSL spoofing vulnerability (CVE-2010-2074)
Summary: <www-client/w3m-0.5.2-r4 SSL spoofing vulnerability (CVE-2010-2074)
Status: RESOLVED FIXED
Alias: CVE-2010-2074
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2010-06-24 23:22 UTC by Stefan Behte (RETIRED)
Modified: 2012-10-18 20:58 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Behte (RETIRED) gentoo-dev Security 2010-06-24 23:22:18 UTC
Damn, I made a mistake when looking at the logfile.
Comment 1 Stefan Behte (RETIRED) gentoo-dev Security 2010-06-24 23:25:00 UTC
Sorry about #296051.

So, can we stabilize w3m-0.5.2-r4?
Comment 2 MATSUU Takuto (RETIRED) gentoo-dev 2010-06-25 01:29:17 UTC
Sure.

Please mark stable =www-client/w3m-0.5.2-r4.

FYI
w3m-0.5.2-r2.ebuild:KEYWORDS="alpha amd64 ia64 ppc ppc64 sparc x86"
w3m-0.5.2-r4.ebuild:KEYWORDS="~alpha ~amd64 ~ia64 ~ppc ~ppc64 ~sparc ~x86"
Comment 3 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2010-06-25 06:57:37 UTC
x86 stable
Comment 4 Christoph Mende (RETIRED) gentoo-dev 2010-06-25 15:15:17 UTC
amd64 stable
Comment 5 Stefan Behte (RETIRED) gentoo-dev Security 2010-06-25 21:36:39 UTC
CVE-2010-2074 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2074):
  istream.c in w3m 0.5.2 and possibly other versions, when
  ssl_verify_server is enabled, does not properly handle a '\0'
  character in a domain name in the (1) subject's Common Name or (2)
  Subject Alternative Name field of an X.509 certificate, which allows
  man-in-the-middle attackers to spoof arbitrary SSL servers via a
  crafted certificate issued by a legitimate Certification Authority, a
  related issue to CVE-2009-2408.

Comment 6 Raúl Porcel (RETIRED) gentoo-dev 2010-06-26 14:56:56 UTC
alpha/ia64/sparc stable
Comment 7 Brent Baude (RETIRED) gentoo-dev 2010-07-08 20:31:29 UTC
ppc64 done
Comment 8 Jeroen Roovers (RETIRED) gentoo-dev 2010-07-09 00:02:54 UTC
Stable for PPC.
Comment 9 Stefan Behte (RETIRED) gentoo-dev Security 2010-08-01 12:55:18 UTC
glsa request filed.
Comment 10 Naohiro Aota gentoo-dev 2012-05-27 17:52:42 UTC
Nothing to do left as cjk. Removing CC.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2012-10-18 20:58:45 UTC
This issue was resolved and addressed in
 GLSA 201210-01 at http://security.gentoo.org/glsa/glsa-201210-01.xml
by GLSA coordinator Stefan Behte (craig).