Bug 882977 - (CVE-2014-3495) VUL-0: CVE-2014-3495: duplicity: Incorrect handling of wildcard certificates
(CVE-2014-3495)
VUL-0: CVE-2014-3495: duplicity: Incorrect handling of wildcard certificates
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: E-mail List
Security Team bot
https://smash.suse.de/issue/99641/
CVSSv2:RedHat:CVE-2014-3495:4.3:(AV:N...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-06-17 09:26 UTC by Johannes Segitz
Modified: 2018-04-19 22:35 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Segitz 2014-06-17 09:26:32 UTC
Eric Christensen of Red Hat Product Security reported that Duplicity did not handle wildcard certificates properly.  If Duplicity were to connect to a remote host that used a wildcard certificate, and the hostname does not match the wildcard, it would still consider the connection valid.

Please submit for openSUSE 12.3, 13.1 and if possible for SLE 12.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1109999
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3495
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3495
https://bugs.launchpad.net/duplicity/+bug/1314234
Comment 1 Wolfgang Rosenauer 2014-06-17 12:27:43 UTC
Is there any information about the fix available?
(And in advance I guess that I cannot submit for SLE12 as it's probably an internal OBS.)
Comment 2 Johannes Segitz 2014-06-17 12:47:01 UTC
not right now. I would wait a bit, upstream should provide a release since they're getting publicity through the CVE. 

I'll take care of the SLE12 submit one openSUSE is fixed
Comment 3 Swamp Workflow Management 2014-06-17 22:00:19 UTC
bugbot adjusting priority
Comment 4 Johannes Segitz 2015-04-02 07:57:07 UTC
I checked the changelog of the new releases but I couldn't find any reference to this issue or CVE. Can you please get in with upstream? Is still unfixed in SLE 12.
Comment 5 Wolfgang Rosenauer 2015-04-02 12:17:14 UTC
Apparently no upstream fix available yet :-(
Comment 6 Johannes Segitz 2017-08-03 08:39:43 UTC
Fix released:
https://bugs.launchpad.net/duplicity/+bug/1314234

Reassigning for fix on SLES
Comment 7 Johannes Segitz 2018-02-15 13:12:06 UTC
Please submit. Thank you.
Comment 8 Johannes Segitz 2018-02-27 16:44:02 UTC
ping. Please submit
Comment 9 Yifan Jiang 2018-03-01 03:01:51 UTC
Hi Jonathan,

Would you help to take care of the submission please? Thanks!
Comment 10 Jonathan Kang 2018-03-02 03:06:38 UTC
(In reply to Yifan Jiang from comment #9)
> Hi Jonathan,
> 
> Would you help to take care of the submission please? Thanks!

Sure. I'm on it.
Comment 11 Jonathan Kang 2018-03-02 08:25:41 UTC
From what I've found, fixes have been included in all the codestreams where
python-boto is maintained, which means certificates validation is enabled by
default. So there is nothing left to do for duplicity.
Comment 12 Johannes Segitz 2018-04-19 14:58:36 UTC
(In reply to Jonathan Kang from comment #11)
great, thank you