subversion-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Branko ─îibej <>
Subject Re: 1.9.0-beta1 may accept invalid certificates
Date Sun, 10 May 2015 19:44:45 GMT
On 10.05.2015 21:23, Stefan Sperling wrote:
> On Sun, May 10, 2015 at 04:05:16PM +0000, Daniel Shahaf wrote:
>> Subversion 1.9.0-beta1 may accept invalid SSL certificates presented by
>> servers in certain conditions: if both --non-interactive and --trust-foo
>> were passed, and the certificate has two failures, both the 'foo'
>> failure and some other failure.
>> In this context, a 'failure' corresponds to one of the 1.9.x cmdline
>> client's --trust-* option flags.
>> This issue is not present in any GA release (1.8.x or earlier) and will
>> not be present in 1.9.0 final.
>> Daniel
>> (handling this publicly since it doesn't affect any GA release; normally
>> we handle security issues privately)
> Sorry! I think I wrote this... oops.
> And thank you very much for catching it before dot zero GA!

Yup. FWIW, RC-1 has the same problem, but RC2 will not (assuming we all
vote for the backport).

-- Brane

View raw message