Bug#692442: Patches for CVE-2012-5783 and CVE-2012-5784
Alberto Fernández
infjaf at gmail.com
Thu Dec 6 20:03:25 UTC 2012
Hi
I've reopened the two bugs.
The first patch was incomplete, as pointed by David and by other bug
i've found reviewing the code.
The bug pointed by David can occur in some rare cases where the CA
issues malformed certificates. It's rare, but there are may CA...
The other bug it's about wildcard certificate validation. The first
patch incorrect validates some cases. They're also rare cases of
certificates of type aaaa*.xxx.com.
Both are very rare cases, but I think they must be fixed before release.
In outline, hosts name correctly validated:
original -> 0% (no validation at all)
first patch -> ¿99%?
Never fails with valid certificates,
block majority of invalid request.
allow few rare cases which should be blocked
second patch -> 100%. I hope.
Thanks for your patience
More information about the pkg-java-maintainers
mailing list