[ASA-202108-8] fossil: certificate verification bypass
Arch Linux Security Advisory ASA-202108-8 ========================================= Severity: High Date : 2021-08-10 CVE-ID : CVE-2021-36377 Package : fossil Type : certificate verification bypass Remote : Yes Link : https://security.archlinux.org/AVG-2146 Summary ======= The package fossil before version 2.16-1 is vulnerable to certificate verification bypass. Resolution ========== Upgrade to 2.16-1. # pacman -Syu "fossil>=2.16-1" The problem has been fixed upstream in version 2.16. Workaround ========== None. Description =========== Fossil before version 2.15.2 often skips the hostname check during TLS certificate validation. Impact ====== A man-in-the-middle attacker could spoof a Fossil repository by presenting any valid certificate for an arbitrary hostname, leading to potential information disclosure. References ========== https://www.fossil-scm.org/forum/forumpost/8d367e16f53d93c789d70bd3bf2c95872... https://www.fossil-scm.org/home/info/aaab2a15d1dfc22f5453c2bad8f25ecf518ed3e... https://security.archlinux.org/CVE-2021-36377
participants (1)
-
Jonas Witschel