882977 – (CVE-2014-3495) VUL-0: CVE-2014-3495: duplicity: Incorrect handling of wildcard certificates

Bug 882977 (CVE-2014-3495) - VUL-0: CVE-2014-3495: duplicity: Incorrect handling of wildcard certificates

Summary: VUL-0: CVE-2014-3495: duplicity: Incorrect handling of wildcard certificates

Status:	RESOLVED FIXED

Alias:	CVE-2014-3495

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	E-mail List
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/99641/
Whiteboard:	CVSSv2:RedHat:CVE-2014-3495:4.3:(AV:N...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2014-06-17 09:26 UTC by Johannes Segitz
Modified:	2018-04-19 22:35 UTC (History)
CC List:	3 users (show)

See Also:	https://launchpad.net/bugs/1314234
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Johannes Segitz 2014-06-17 09:26:32 UTC

Eric Christensen of Red Hat Product Security reported that Duplicity did not handle wildcard certificates properly.  If Duplicity were to connect to a remote host that used a wildcard certificate, and the hostname does not match the wildcard, it would still consider the connection valid.

Please submit for openSUSE 12.3, 13.1 and if possible for SLE 12.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1109999
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3495
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3495
https://bugs.launchpad.net/duplicity/+bug/1314234

Comment 1 Wolfgang Rosenauer 2014-06-17 12:27:43 UTC

Is there any information about the fix available?
(And in advance I guess that I cannot submit for SLE12 as it's probably an internal OBS.)

Comment 2 Johannes Segitz 2014-06-17 12:47:01 UTC

not right now. I would wait a bit, upstream should provide a release since they're getting publicity through the CVE. 

I'll take care of the SLE12 submit one openSUSE is fixed

Comment 3 Swamp Workflow Management 2014-06-17 22:00:19 UTC

bugbot adjusting priority

Comment 4 Johannes Segitz 2015-04-02 07:57:07 UTC

I checked the changelog of the new releases but I couldn't find any reference to this issue or CVE. Can you please get in with upstream? Is still unfixed in SLE 12.

Comment 5 Wolfgang Rosenauer 2015-04-02 12:17:14 UTC

Apparently no upstream fix available yet :-(

Comment 6 Johannes Segitz 2017-08-03 08:39:43 UTC

Fix released:
https://bugs.launchpad.net/duplicity/+bug/1314234

Reassigning for fix on SLES

Comment 7 Johannes Segitz 2018-02-15 13:12:06 UTC

Please submit. Thank you.

Comment 8 Johannes Segitz 2018-02-27 16:44:02 UTC

ping. Please submit

Comment 9 Yifan Jiang 2018-03-01 03:01:51 UTC

Hi Jonathan,

Would you help to take care of the submission please? Thanks!

Comment 10 Jonathan Kang 2018-03-02 03:06:38 UTC

(In reply to Yifan Jiang from comment #9)
> Hi Jonathan,
> 
> Would you help to take care of the submission please? Thanks!

Sure. I'm on it.

Comment 11 Jonathan Kang 2018-03-02 08:25:41 UTC

From what I've found, fixes have been included in all the codestreams where
python-boto is maintained, which means certificates validation is enabled by
default. So there is nothing left to do for duplicity.

Comment 12 Johannes Segitz 2018-04-19 14:58:36 UTC

(In reply to Jonathan Kang from comment #11)
great, thank you