Summary: | app-backup/duplicity: improper verification of SSL certificates | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED INVALID | ||
Severity: | minor | CC: | alexander, dschridde+gentoobugs, radhermit, rich0 |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugzilla.redhat.com/show_bug.cgi?id=1109999 | ||
Whiteboard: | B3 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2014-06-19 09:25:47 UTC
The reported issue is that a wildcard SSL certificate, which is issued to an owner of a particular domain, is not valid. As such, if you are willing to accept such a certificate then you are trusting the owner of that domain in it's entirety. If we really broke this down, someone owning amazonaws.com should answer all DNS requests for that particular domain. If you are not willing to trust this then hardening is the proper approach. Furthermore, the original reporter in the upstream bug did not properly validate against the CA with the proper OpenSSL option of -CACert. |