[manjaro-security] [ASA-202108-8] fossil: certificate verification bypass
Jonas Witschel via arch-security
arch-security at lists.archlinux.org
Fri Aug 13 20:06:58 CEST 2021
Arch Linux Security Advisory ASA-202108-8
=========================================
Severity: High
Date : 2021-08-10
CVE-ID : CVE-2021-36377
Package : fossil
Type : certificate verification bypass
Remote : Yes
Link : https://security.archlinux.org/AVG-2146
Summary
=======
The package fossil before version 2.16-1 is vulnerable to certificate
verification bypass.
Resolution
==========
Upgrade to 2.16-1.
# pacman -Syu "fossil>=2.16-1"
The problem has been fixed upstream in version 2.16.
Workaround
==========
None.
Description
===========
Fossil before version 2.15.2 often skips the hostname check during TLS
certificate validation.
Impact
======
A man-in-the-middle attacker could spoof a Fossil repository by
presenting any valid certificate for an arbitrary hostname, leading to
potential information disclosure.
References
==========
https://www.fossil-scm.org/forum/forumpost/8d367e16f53d93c789d70bd3bf2c9587227bbd5c6a7b8e512cccd79007536036
https://www.fossil-scm.org/home/info/aaab2a15d1dfc22f5453c2bad8f25ecf518ed3eef9a7fa6f4c5bd69ab4e4b075
https://security.archlinux.org/CVE-2021-36377
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.manjaro.org/pipermail/manjaro-security/attachments/20210813/97a77417/attachment-0001.sig>
More information about the manjaro-security
mailing list