[Duplicity-talk] CVE-2014-3495 duplicity: improper verification of SSL c

duplicity-talk

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Duplicity-talk] CVE-2014-3495 duplicity: improper verification of SSL c

From:	Henri Salo
Subject:	[Duplicity-talk] CVE-2014-3495 duplicity: improper verification of SSL certificates
Date:	Thu, 19 Jun 2014 18:21:17 +0300
User-agent:	Mutt/1.5.21 (2010-09-15)

Eric Christensen of Red Hat Product Security reported [1] that Duplicity did not
handle wildcard certificates properly.  If Duplicity were to connect to a remote
host that used a wildcard certificate, and the hostname does not match the
wildcard, it would still consider the connection valid.

1: https://bugs.launchpad.net/duplicity/+bug/1314234

Why is that upstream bug report still embargoed? Is there a fix for this
security issue already? If yes - what version or source control revision?

Debian: https://bugs.debian.org/751902
RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1109999

---
Henri Salo

signature.asc
Description: Digital signature

[Prev in Thread]

Current Thread

[Next in Thread]

[Duplicity-talk] CVE-2014-3495 duplicity: improper verification of SSL certificates, Henri Salo <=
- Re: [Duplicity-talk] CVE-2014-3495 duplicity: improper verification of SSL certificates, Kenneth Loafman, 2014/06/19
  - Re: [Duplicity-talk] CVE-2014-3495 duplicity: improper verification of SSL certificates, Henri Salo, 2014/06/19

Prev by Date: Re: [Duplicity-talk] Why 'duplicity without private key' is a bad idea - WAS: Restart duplicity without private key
Next by Date: Re: [Duplicity-talk] CVE-2014-3495 duplicity: improper verification of SSL certificates
Previous by thread: [Duplicity-talk] Restart duplicity without private key
Next by thread: Re: [Duplicity-talk] CVE-2014-3495 duplicity: improper verification of SSL certificates
Index(es):
- Date
- Thread