[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Duplicity-talk] CVE-2014-3495 duplicity: improper verification of SSL c
From: |
Henri Salo |
Subject: |
[Duplicity-talk] CVE-2014-3495 duplicity: improper verification of SSL certificates |
Date: |
Thu, 19 Jun 2014 18:21:17 +0300 |
User-agent: |
Mutt/1.5.21 (2010-09-15) |
Eric Christensen of Red Hat Product Security reported [1] that Duplicity did not
handle wildcard certificates properly. If Duplicity were to connect to a remote
host that used a wildcard certificate, and the hostname does not match the
wildcard, it would still consider the connection valid.
1: https://bugs.launchpad.net/duplicity/+bug/1314234
Why is that upstream bug report still embargoed? Is there a fix for this
security issue already? If yes - what version or source control revision?
Debian: https://bugs.debian.org/751902
RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1109999
---
Henri Salo
signature.asc
Description: Digital signature
- [Duplicity-talk] CVE-2014-3495 duplicity: improper verification of SSL certificates,
Henri Salo <=