thr3ads.net - Secure testing team - [Secure-testing-team] Bug#683927: CVE-2012-3446: MITM vulnerability in TLS/SSL certificates verification [Aug 2012]

If this information is useful, please help other people find it:
Share via:

Yves-Alexis Perez

2012-Aug-05 13:35 UTC

[Secure-testing-team] Bug#683927: CVE-2012-3446: MITM vulnerability in TLS/SSL certificates verification

Package: libcloud
Severity: grave
Tags: security
Justification: user security hole

Hi,

a new libcloud was released, fixing a MITM vulnerability in the TLS/SSL
certificates verification. Basically the hostname/CN check is done using
a wrong regular expression which will match even superset of the
hostname.

See http://libcloud.apache.org/security.html and
https://github.com/apache/libcloud/commit/f2af5502dae3ac63e656dd1b7d5f29cc82ded401
and please upload an isolated fix to unstable, since we''re in freeze.

Regards,
-- 
Yves-Alexis

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, ''unstable''), (500,
''testing''), (500, ''stable''), (1,
''experimental'')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-3-grsec-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Secure testing team - Aug 2012 - Bug#683927: CVE-2012-3446: MITM vulnerability in TLS/SSL certificates verification

[Secure-testing-team] Bug#683927: CVE-2012-3446: MITM vulnerability in TLS/SSL certificates verification