Gabriel Menezes Nunes reported: [1] http://seclists.org/bugtraq/2009/Jun/239 that aMSN messenger failed to properly validate SSL certificates when connecting to the MSN server. A remote attacker could use this flaw to conduct man-in-the-middle attacks and / or impersonate trusted servers. References: [2] http://www.juniper.net/security/auto/vulnerabilities/vuln35507.html [3] http://secunia.com/advisories/35621/ [4] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572818 Some upstream aMSN-devel communication regarding the patch: [5] http://www.opensource-archive.org/showthread.php?p=183821 And relevant commit: [6] http://amsn.svn.sourceforge.net/viewvc/amsn/trunk/?view=log&pathrev=11991 CVE Request: [7] http://www.openwall.com/lists/oss-security/2010/03/10/4
This issue affects the versions of the amsn package, as shipped with Fedora releases of 11 and 12. Please fix, once the proposed, upstream patch [6] gets stabilized.
This is CVE-2010-0744.
Sander, could you please build new amsn package for Fedora releases of 11 and 12, with proposed upstream changes: [1] http://amsn.svn.sourceforge.net/viewvc/amsn?view=rev&revision=11991 [2] http://amsn.svn.sourceforge.net/viewvc/amsn/trunk/amsn/ca-certs/?view=log anything else? Thanks && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team
amsn-0.98.3-1.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/amsn-0.98.3-1.fc13
amsn-0.98.3-1.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/amsn-0.98.3-1.fc12
amsn-0.98.3-2.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/amsn-0.98.3-2.fc11
amsn-0.98.3-1.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.
amsn-0.98.3-1.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
amsn-0.98.3-2.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.