Weekly Edition
Return to the Security pageSponsored link
Vyatta –
Linux & Open Source
Alternative to Cisco –
Advanced Routing,
Firewall, VPN, QoS..
Free Download ->
| |||||||||||||
TinySSL basic constraints vulnerability fixed
TinySSL is an open source, compact (125k jar), SSLv3 client
implementation written in Java (1.1+). Version 1.02 and earlier is
vulnerable to the attack posted last week by Mike Benham:
http://online.securityfocus.com/archive/1/286290
An updated version (1.03) has been posted which fixes this
vulnerability; it is currently available from the XWT project's CVS
repository, which is the official distribution point for TinySSL.
More information can be found at http://www.xwt.org/tinyssl/
- a
--
Sick of HTML user interfaces?
www.xwt.org
Amendment XXVIII: "thou shalt maximize thy stock price at all costs"
(Log in to post comments)
TinySSL basic constraints vulnerability fixed Posted Aug 15, 2002 12:34 UTC (Thu) by ftc (guest, #2378) [Link] "TinySSL has a server-side fix for the IE vulnerability" seems wrong to me.TinySSL is a SSL client implementation, which apparently (in version 1.02 and earlier) suffered from the same problem as Internet Explorer (and other SSL clients, for example certain versions of Konqueror). This has been fixed in 1.03. SSL clients based on TinySSL 1.03+, which probably include some specialized Java applets that need to do SSL transactions themselves (On-Line Banking applications come to mind), are no longer vulnerable to spoofed certificates signed by non-CAs. It doesn't seem to address anything in Internet Explorer.
|
|||||||||||||