subversion-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Shahaf <...@daniel.shahaf.name>
Subject 1.9.0-beta1 may accept invalid certificates (was: svn commit: r1678571 - /subversion/trunk/subversion/libsvn_subr/cmdline.c)
Date Sun, 10 May 2015 16:05:16 GMT
Subversion 1.9.0-beta1 may accept invalid SSL certificates presented by
servers in certain conditions: if both --non-interactive and --trust-foo
were passed, and the certificate has two failures, both the 'foo'
failure and some other failure.

In this context, a 'failure' corresponds to one of the 1.9.x cmdline
client's --trust-* option flags.

This issue is not present in any GA release (1.8.x or earlier) and will
not be present in 1.9.0 final.

Daniel
(handling this publicly since it doesn't affect any GA release; normally
we handle security issues privately)

danielsh@apache.org wrote on Sun, May 10, 2015 at 15:54:22 -0000:
> Author: danielsh
> Date: Sun May 10 15:54:22 2015
> New Revision: 1678571
> 
> URL: http://svn.apache.org/r1678571
> Log:
> * subversion/libsvn_subr/cmdline.c
>   (trust_server_cert_non_interactive): Fix false-positive acceptance of
>     certificates with multiple failures of which some but not all were
>     designated acceptable.

Mime
View raw message