[Bug 1384232] Re: Certificate hostname verification fix

Roca heboyuan at gmail.com
Thu Oct 23 01:25:48 UTC 2014


We sent email to cve-assign at mitre.org and got the following response,
but we don't agree that this is an intentionally made.

This patch appears to be outside the scope of CVE. For issues of this type, the scope of CVE is limited to unintentional implementation mistakes. Here, the vendor intentionally did not do a hostname check because (quoting http://bugs.exim.org/show_bug.cgi?id=1479#c2) "Exim is an MTA, there has been no sane approach to determining a hostname suitable for verification of certificate identity." The vendor went on to implement a useful security enhancement in response to your report.
This is a very good outcome, but security enhancements are not assigned CVE-IDs.

** Bug watch added: bugs.exim.org/ #1479
   http://bugs.exim.org/show_bug.cgi?id=1479

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to exim4 in Ubuntu.
https://bugs.launchpad.net/bugs/1384232

Title:
  Certificate hostname verification fix

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/exim4/+bug/1384232/+subscriptions



More information about the Ubuntu-server-bugs mailing list