Re: [Duplicity-talk] CVE-2014-3495 duplicity: improper verification of S

duplicity-talk

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Duplicity-talk] CVE-2014-3495 duplicity: improper verification of S

From:	Kenneth Loafman
Subject:	Re: [Duplicity-talk] CVE-2014-3495 duplicity: improper verification of SSL certificates
Date:	Thu, 19 Jun 2014 10:28:51 -0500

Removed the privacy setting. I thought it was already.

No, this has not been fixed yet. It's on the list.

...Ken

On Thu, Jun 19, 2014 at 10:21 AM, Henri Salo <address@hidden> wrote:

Eric Christensen of Red Hat Product Security reported [1] that Duplicity did not
handle wildcard certificates properly. If Duplicity were to connect to a remote
host that used a wildcard certificate, and the hostname does not match the
wildcard, it would still consider the connection valid.

1: https://bugs.launchpad.net/duplicity/+bug/1314234

Why is that upstream bug report still embargoed? Is there a fix for this
security issue already? If yes - what version or source control revision?

Debian: https://bugs.debian.org/751902
RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1109999

---
Henri Salo

[Prev in Thread]

Current Thread

[Next in Thread]

[Duplicity-talk] CVE-2014-3495 duplicity: improper verification of SSL certificates, Henri Salo, 2014/06/19
- Re: [Duplicity-talk] CVE-2014-3495 duplicity: improper verification of SSL certificates, Kenneth Loafman <=
  - Re: [Duplicity-talk] CVE-2014-3495 duplicity: improper verification of SSL certificates, Henri Salo, 2014/06/19

Prev by Date: [Duplicity-talk] CVE-2014-3495 duplicity: improper verification of SSL certificates
Next by Date: Re: [Duplicity-talk] CVE-2014-3495 duplicity: improper verification of SSL certificates
Previous by thread: [Duplicity-talk] CVE-2014-3495 duplicity: improper verification of SSL certificates
Next by thread: Re: [Duplicity-talk] CVE-2014-3495 duplicity: improper verification of SSL certificates
Index(es):
- Date
- Thread