Bugzilla – Bug 882977
VUL-0: CVE-2014-3495: duplicity: Incorrect handling of wildcard certificates
Last modified: 2018-04-19 22:35:21 UTC
Eric Christensen of Red Hat Product Security reported that Duplicity did not handle wildcard certificates properly. If Duplicity were to connect to a remote host that used a wildcard certificate, and the hostname does not match the wildcard, it would still consider the connection valid.
Please submit for openSUSE 12.3, 13.1 and if possible for SLE 12.
Is there any information about the fix available?
(And in advance I guess that I cannot submit for SLE12 as it's probably an internal OBS.)
not right now. I would wait a bit, upstream should provide a release since they're getting publicity through the CVE.
I'll take care of the SLE12 submit one openSUSE is fixed
bugbot adjusting priority
I checked the changelog of the new releases but I couldn't find any reference to this issue or CVE. Can you please get in with upstream? Is still unfixed in SLE 12.
Apparently no upstream fix available yet :-(
Reassigning for fix on SLES
Please submit. Thank you.
ping. Please submit
Would you help to take care of the submission please? Thanks!
(In reply to Yifan Jiang from comment #9)
> Hi Jonathan,
> Would you help to take care of the submission please? Thanks!
Sure. I'm on it.
From what I've found, fixes have been included in all the codestreams where
python-boto is maintained, which means certificates validation is enabled by
default. So there is nothing left to do for duplicity.
(In reply to Jonathan Kang from comment #11)
great, thank you