diff options
author | Daniel Stenberg <daniel@haxx.se> | 2009-08-01 21:56:59 +0000 |
---|---|---|
committer | Daniel Stenberg <daniel@haxx.se> | 2009-08-01 21:56:59 +0000 |
commit | c0e8bed5bf7a7e56897e492a4dcc399621939995 (patch) | |
tree | 5c5262804a2a51a53d69e1b66411a03612e5a929 /RELEASE-NOTES | |
parent | 0dce2ff8a09065b2be2a3531f498006906c81db5 (diff) |
- Scott Cantor posted the bug report #2829955
(http://curl.haxx.se/bug/view.cgi?id=2829955) mentioning the recent SSL cert
verification flaw found and exploited by Moxie Marlinspike. The presentation
he did at Black Hat is available here:
https://www.blackhat.com/html/bh-usa-09/bh-usa-09-archives.html#Marlinspike
Apparently at least one CA allowed a subjectAltName or CN that contain a
zero byte, and thus clients that assumed they would never have zero bytes
were exploited to OK a certificate that didn't actually match the site. Like
if the name in the cert was "example.com\0theatualsite.com", libcurl would
happily verify that cert for example.com.
libcurl now better use the length of the extracted name, not assuming it is
zero terminated.
Diffstat (limited to 'RELEASE-NOTES')
-rw-r--r-- | RELEASE-NOTES | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/RELEASE-NOTES b/RELEASE-NOTES index bd5700f77..b019bbc74 100644 --- a/RELEASE-NOTES +++ b/RELEASE-NOTES @@ -40,6 +40,7 @@ This release includes the following bugfixes: o missing algorithms in libcurl+OpenSSL o with noproxy set you could still get a proxy if a proxy env was set o rand seeding on libcurl on windows built with OpenSSL was not thread-safe + o fixed the zero byte inserted in cert name flaw in libcurl+OpenSSL This release includes the following known bugs: @@ -53,6 +54,6 @@ advice from friends like these: Aaron Oneal, Igor Novoseltsev, Eric Wong, Bill Hoffman, Daniel Steinberg, Fabian Keil, Michal Marek, Reuven Wachtfogel, Markus Koetter, Constantine Sapuntzakis, David Binderman, Johan van Selst, Alexander Beedie, - Tanguy Fautre + Tanguy Fautre, Scott Cantor Thanks! (and sorry if I forgot to mention someone) |