|
From: | Kenneth Loafman |
Subject: | Re: [Duplicity-talk] CVE-2014-3495 duplicity: improper verification of SSL certificates |
Date: | Thu, 19 Jun 2014 10:28:51 -0500 |
Eric Christensen of Red Hat Product Security reported [1] that Duplicity did not
handle wildcard certificates properly. If Duplicity were to connect to a remote
host that used a wildcard certificate, and the hostname does not match the
wildcard, it would still consider the connection valid.
1: https://bugs.launchpad.net/duplicity/+bug/1314234
Why is that upstream bug report still embargoed? Is there a fix for this
security issue already? If yes - what version or source control revision?
Debian: https://bugs.debian.org/751902
RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1109999
---
Henri Salo
[Prev in Thread] | Current Thread | [Next in Thread] |