Bug#458968: marked as done (CVE-2007-6591: Accepts SSL certificates for sites in subjectAltName, even though these are not displayed)
Your message dated Fri, 2 May 2014 18:13:39 +0200
with message-id <20140502161339.GC1033@inutil.org>
and subject line Re: Bug#458968: CVE-2007-6591: Accepts SSL certificates for sites in subjectAltName, even though these are not displayed
has caused the Debian Bug report #458968,
regarding CVE-2007-6591: Accepts SSL certificates for sites in subjectAltName, even though these are not displayed
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)
--
458968: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=458968
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: CVE-2007-6591: Accepts SSL certificates for sites in subjectAltName, even though these are not displayed
- From: Stefan Fritsch <sf@sfritsch.de>
- Date: Thu, 03 Jan 2008 22:57:57 +0100
- Message-id: <20080103215757.22651.46279.reportbug@k.lan>
Package: konqueror
Version: 4:3.5.8.dfsg.1-2
Severity: important
Tags: security
>From CVE-2007-6591:
"KDE Konqueror 3.5.5 and 3.95.00, when a user accepts an SSL server certificate
on the basis of the CN domain name in the DN field, regards the certificate as
also accepted for all domain names in subjectAltName:dNSName fields, even though
these fields cannot be examined in the product, which makes it easier for remote
attackers to trick a user into accepting an invalid certificate for a spoofed
web site."
There is more info at
http://nils.toedtmann.net/pub/subjectAltName.txt
and
http://www.securityfocus.com/archive/1/483942/100/100/threaded
--- End Message ---
--- Begin Message ---
- To: 458968-done@bugs.debian.org
- Subject: Re: Bug#458968: CVE-2007-6591: Accepts SSL certificates for sites in subjectAltName, even though these are not displayed
- From: Moritz Muehlenhoff <jmm@inutil.org>
- Date: Fri, 2 May 2014 18:13:39 +0200
- Message-id: <20140502161339.GC1033@inutil.org>
- In-reply-to: <20080103215757.22651.46279.reportbug@k.lan>
- References: <20080103215757.22651.46279.reportbug@k.lan>
On Thu, Jan 03, 2008 at 10:57:57PM +0100, Stefan Fritsch wrote:
> Package: konqueror
> Version: 4:3.5.8.dfsg.1-2
> Severity: important
> Tags: security
>
> >>From CVE-2007-6591:
> "KDE Konqueror 3.5.5 and 3.95.00, when a user accepts an SSL server certificate
> on the basis of the CN domain name in the DN field, regards the certificate as
> also accepted for all domain names in subjectAltName:dNSName fields, even though
> these fields cannot be examined in the product, which makes it easier for remote
> attackers to trick a user into accepting an invalid certificate for a spoofed
> web site."
Historic Konqueror bug, closing, (It's not covered by security support for
some time now)
Cheers,
Moritz
--- End Message ---
Reply to: