[Bug 1384232] Re: Certificate hostname verification fix
Roca
heboyuan at gmail.com
Thu Oct 23 01:25:48 UTC 2014
We sent email to cve-assign at mitre.org and got the following response,
but we don't agree that this is an intentionally made.
This patch appears to be outside the scope of CVE. For issues of this type, the scope of CVE is limited to unintentional implementation mistakes. Here, the vendor intentionally did not do a hostname check because (quoting http://bugs.exim.org/show_bug.cgi?id=1479#c2) "Exim is an MTA, there has been no sane approach to determining a hostname suitable for verification of certificate identity." The vendor went on to implement a useful security enhancement in response to your report.
This is a very good outcome, but security enhancements are not assigned CVE-IDs.
** Bug watch added: bugs.exim.org/ #1479
http://bugs.exim.org/show_bug.cgi?id=1479
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to exim4 in Ubuntu.
https://bugs.launchpad.net/bugs/1384232
Title:
Certificate hostname verification fix
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/exim4/+bug/1384232/+subscriptions
More information about the Ubuntu-server-bugs
mailing list