Bug 1142518 - (CVE-2019-3685) VUL-0: CVE-2019-3685: osc: inadequate TLS certificate validation for HTTPS connections
(CVE-2019-3685)
VUL-0: CVE-2019-3685: osc: inadequate TLS certificate validation for HTTPS co...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Marco Strigl
Security Team bot
https://smash.suse.de/issue/237868/
CVSSv3:SUSE:CVE-2019-3685:7.7:(AV:N/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-07-23 13:48 UTC by Wolfgang Frisch
Modified: 2022-12-07 20:22 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
Enable TLS certificate verification (552 bytes, patch)
2019-07-23 14:23 UTC, Wolfgang Frisch
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Wolfgang Frisch 2019-07-23 13:48:18 UTC
osc (Open Build Service Commander), versions 0.165.0 through 0.165.2, fails to adequately verify TLS certificates. This allows for man-in-the-middle attacks on HTTPS connections.

### Steps to reproduce
 * mitmproxy --ssl-insecure -m socks5
 * SOCKS_SERVER=127.0.0.1:8080 socksify osc co openSUSE:Leap:15.2 ImageMagick

### Expected result
osc should complain about the self-signed certificate immediately.

### Actual result
osc ignores the invalid certificate.
Comment 1 Wolfgang Frisch 2019-07-23 14:23:04 UTC
Created attachment 811332 [details]
Enable TLS certificate verification
Comment 2 Marcus Meissner 2019-07-23 14:45:40 UTC
use CVE-2019-3685 for this issue.
Comment 4 Swamp Workflow Management 2019-07-24 16:40:06 UTC
This is an autogenerated message for OBS integration:
This bug (1142518) was mentioned in
https://build.opensuse.org/request/show/718310 Factory / osc
Comment 6 Swamp Workflow Management 2019-08-06 19:13:49 UTC
SUSE-SU-2019:2067-1: An update that solves one vulnerability and has 5 fixes is now available.

Category: security (important)
Bug References: 1129889,1138977,1140697,1142518,1142662,1144211
CVE References: CVE-2019-3685
Sources used:
SUSE Linux Enterprise Module for Development Tools 15-SP1 (src):    osc-0.165.4-3.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 7 Swamp Workflow Management 2019-08-12 19:10:38 UTC
openSUSE-SU-2019:1844-1: An update that solves one vulnerability and has 5 fixes is now available.

Category: security (important)
Bug References: 1129889,1138977,1140697,1142518,1142662,1144211
CVE References: CVE-2019-3685
Sources used:
openSUSE Leap 15.1 (src):    osc-0.165.4-lp151.2.6.1
Comment 8 Marcus Meissner 2019-09-04 11:23:11 UTC
released
Comment 10 Swamp Workflow Management 2022-12-07 20:22:27 UTC
SUSE-SU-2022:4351-1: An update that solves two vulnerabilities, contains one feature and has 22 fixes is now available.

Category: security (important)
Bug References: 1089025,1097996,1122675,1125243,1126055,1126058,1127932,1129757,1129889,1131512,1136584,1137477,1138165,1138977,1140697,1142518,1142662,1144211,1154972,1155953,1156501,1160446,1166537,1173926
CVE References: CVE-2019-3681,CVE-2019-3685
JIRA References: OBS-203
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    osc-0.182.0-15.12.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.