Bug 882977 - (CVE-2014-3495) VUL-0: CVE-2014-3495: duplicity: Incorrect handling of wildcard certificates
VUL-0: CVE-2014-3495: duplicity: Incorrect handling of wildcard certificates
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P3 - Medium : Normal
: ---
Assigned To: E-mail List
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2014-06-17 09:26 UTC by Johannes Segitz
Modified: 2018-04-19 22:35 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Segitz 2014-06-17 09:26:32 UTC
Eric Christensen of Red Hat Product Security reported that Duplicity did not handle wildcard certificates properly.  If Duplicity were to connect to a remote host that used a wildcard certificate, and the hostname does not match the wildcard, it would still consider the connection valid.

Please submit for openSUSE 12.3, 13.1 and if possible for SLE 12.

Comment 1 Wolfgang Rosenauer 2014-06-17 12:27:43 UTC
Is there any information about the fix available?
(And in advance I guess that I cannot submit for SLE12 as it's probably an internal OBS.)
Comment 2 Johannes Segitz 2014-06-17 12:47:01 UTC
not right now. I would wait a bit, upstream should provide a release since they're getting publicity through the CVE. 

I'll take care of the SLE12 submit one openSUSE is fixed
Comment 3 Swamp Workflow Management 2014-06-17 22:00:19 UTC
bugbot adjusting priority
Comment 4 Johannes Segitz 2015-04-02 07:57:07 UTC
I checked the changelog of the new releases but I couldn't find any reference to this issue or CVE. Can you please get in with upstream? Is still unfixed in SLE 12.
Comment 5 Wolfgang Rosenauer 2015-04-02 12:17:14 UTC
Apparently no upstream fix available yet :-(
Comment 6 Johannes Segitz 2017-08-03 08:39:43 UTC
Fix released:

Reassigning for fix on SLES
Comment 7 Johannes Segitz 2018-02-15 13:12:06 UTC
Please submit. Thank you.
Comment 8 Johannes Segitz 2018-02-27 16:44:02 UTC
ping. Please submit
Comment 9 Yifan Jiang 2018-03-01 03:01:51 UTC
Hi Jonathan,

Would you help to take care of the submission please? Thanks!
Comment 10 Jonathan Kang 2018-03-02 03:06:38 UTC
(In reply to Yifan Jiang from comment #9)
> Hi Jonathan,
> Would you help to take care of the submission please? Thanks!

Sure. I'm on it.
Comment 11 Jonathan Kang 2018-03-02 08:25:41 UTC
From what I've found, fixes have been included in all the codestreams where
python-boto is maintained, which means certificates validation is enabled by
default. So there is nothing left to do for duplicity.
Comment 12 Johannes Segitz 2018-04-19 14:58:36 UTC
(In reply to Jonathan Kang from comment #11)
great, thank you