[CVE-2008-2420] stunnel incorrect OCSP validation vulnerability
Bug #257949 reported by
Till Ulen
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| stunnel4 (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
| Hardy |
Won't Fix
|
Undecided
|
Unassigned | ||
Bug Description
Binary package hint: stunnel4
CVE-2008-2420 description:
"The OCSP functionality in stunnel before 4.24 does not properly search certificate revocation lists (CRL), which allows remote attackers to bypass intended access restrictions by using revoked certificates. "
http://
The bug has been already fixed in Intrepid. This is a request to backport the fix to Hardy.
CVE References
| Changed in stunnel4: | |
| status: | New → Fix Released |
| status: | New → Confirmed |
Revision history for this message
| Jamie Strandboge (jdstrand) wrote | #1 |
| Changed in stunnel4 (Ubuntu Hardy): | |
| status: | Confirmed → Won't Fix |
To post a comment you must log in.
Thank you for reporting this bug and helping to make Ubuntu better. The package referred to in this bug is in universe or multiverse and reported against a release of Ubuntu (hardy) which no longer receives updates outside of the explicitly supported LTS packages. While the bug against hardy is being marked "Won't Fix" for now, if you are interested feel free to post a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https:/
Please feel free to report any other bugs you may find.