Vincent Hanquez | 20 Jan 06:50 2013

[ANN] tls-extra 0.6.1 - security update, please upgrade.

Hi cafe,

this is a security advisory for tls-extra < 0.6.1 which are all vulnerable to bad
certificate validation.

Some part of the certificate validation procedure were missing (relying on the
work-in-progress x509 v3 extensions), and because of this anyone with a correct
end-entity certificate can issue certificate for any arbitrary domain, i.e.
acting as a CA.

This problem has been fixed in tls-extra 0.6.1, and I advise everyone to upgrade as
soon as possible.

Despite a very serious flaw in the certificate validation, I'm happy that the
code is seeing some audits, and would want to thanks Ertugrul Söylemez for the
findings [1].

[1] https://github.com/vincenthz/hs-tls/issues/29

--

-- 
Vincent
Joachim Breitner | 20 Jan 11:01 2013
Picon

Re: [Haskell-cafe] [ANN] tls-extra 0.6.1 - security update, please upgrade.

Hi,

Am Sonntag, den 20.01.2013, 06:50 +0100 schrieb Vincent Hanquez:
> this is a security advisory for tls-extra < 0.6.1 which are all vulnerable to bad
> certificate validation.
> 
> Some part of the certificate validation procedure were missing (relying on the
> work-in-progress x509 v3 extensions), and because of this anyone with a correct
> end-entity certificate can issue certificate for any arbitrary domain, i.e.
> acting as a CA.
> 
> This problem has been fixed in tls-extra 0.6.1, and I advise everyone to upgrade as
> soon as possible.
> 
> Despite a very serious flaw in the certificate validation, I'm happy that the
> code is seeing some audits, and would want to thanks Ertugrul Söylemez for the
> findings [1].

Debian ships tls-extras 0.4.6 in what will become wheezy, and due to the
freeze upgrading to a new major upstream release is not acceptable. 

Would it be possible for you to create a 0.4.6.1 with this bugfix
included?

Thanks a lot,
Joachim

--

-- 
Joachim "nomeata" Breitner
Debian Developer
(Continue reading)

Vincent Hanquez | 20 Jan 17:21 2013

Re: [ANN] tls-extra 0.6.1 - security update, please upgrade.

On Sun, Jan 20, 2013 at 11:01:22AM +0100, Joachim Breitner wrote:
> Debian ships tls-extras 0.4.6 in what will become wheezy, and due to the
> freeze upgrading to a new major upstream release is not acceptable. 

> Would it be possible for you to create a 0.4.6.1 with this bugfix
> included?

(wow, the tls packages stack are quite obsolete)

Apart from the fact that it took me a while to rebase to this version,
I just uploaded 0.4.6.1. it compiles but got minimal testing.

--

-- 
Vincent
Joachim Breitner | 21 Jan 11:29 2013
Picon

Re: [Haskell-cafe] [ANN] tls-extra 0.6.1 - security update, please upgrade.

Hi,

Am Sonntag, den 20.01.2013, 17:21 +0100 schrieb Vincent Hanquez:
> On Sun, Jan 20, 2013 at 11:01:22AM +0100, Joachim Breitner wrote:
> > Debian ships tls-extras 0.4.6 in what will become wheezy, and due to the
> > freeze upgrading to a new major upstream release is not acceptable. 
>  
> > Would it be possible for you to create a 0.4.6.1 with this bugfix
> > included?
> 
> (wow, the tls packages stack are quite obsolete)
> 
> Apart from the fact that it took me a while to rebase to this version,
> I just uploaded 0.4.6.1. it compiles but got minimal testing.

thanks, uploaded to Debian and on its way into the wheezy suite.

Greetings,
Joachim

--

-- 
Joachim "nomeata" Breitner
Debian Developer
  nomeata <at> debian.org | ICQ# 74513189 | GPG-Keyid: 4743206C
  JID: nomeata <at> joachim-breitner.de | http://people.debian.org/~nomeata
Alexander Kjeldaas | 20 Jan 20:27 2013
Picon

Re: [ANN] tls-extra 0.6.1 - security update, please upgrade.

On Sun, Jan 20, 2013 at 6:50 AM, Vincent Hanquez <tab <at> snarc.org> wrote:
Hi cafe,

this is a security advisory for tls-extra < 0.6.1 which are all vulnerable to bad
certificate validation.

Some part of the certificate validation procedure were missing (relying on the
work-in-progress x509 v3 extensions), and because of this anyone with a correct
end-entity certificate can issue certificate for any arbitrary domain, i.e.
acting as a CA.

This problem has been fixed in tls-extra 0.6.1, and I advise everyone to upgrade as
soon as possible.

Despite a very serious flaw in the certificate validation, I'm happy that the
code is seeing some audits, and would want to thanks Ertugrul Söylemez for the
findings [1].

[1] https://github.com/vincenthz/hs-tls/issues/29


Regarding testing, it looks like the Tests directory hasn't been updated to cover this bug.  What would really give confidence is a set of tests encoding fixed security vulnerabilities in OpenSSL (and similar libraries).  That should also give you a lot of confidence in your library.

But anyways, this is fantastic work you're doing.  Keep it up!

Alexander
 

 
--
Vincent

_______________________________________________
Haskell-Cafe mailing list
Haskell-Cafe <at> haskell.org
http://www.haskell.org/mailman/listinfo/haskell-cafe

_______________________________________________
Haskell-Cafe mailing list
Haskell-Cafe <at> haskell.org
http://www.haskell.org/mailman/listinfo/haskell-cafe
Vincent Hanquez | 22 Jan 08:08 2013

Re: [ANN] tls-extra 0.6.1 - security update, please upgrade.

On Sun, Jan 20, 2013 at 08:27:07PM +0100, Alexander Kjeldaas wrote:
> Regarding testing, it looks like the Tests directory hasn't been updated to
> cover this bug.  What would really give confidence is a set of tests
> encoding fixed security vulnerabilities in OpenSSL (and similar libraries).
>  That should also give you a lot of confidence in your library.
> 
> But anyways, this is fantastic work you're doing.  Keep it up!

Thanks,

Regarding tests, a good test suite is a hard and long job.

Some security properties are just insanely hard to codify, and
some others need a lots of tests.

My time being very limited, it's hard to pull off, but i have plan to
add some tests for the certificate validation functions. Specially
since i want to harden some functions a bit more, and it will come handy
to verify i'm not breaking anything :-)

--

-- 
Vincent

Gmane