There seems to be a security issue in the way git uses openssl for
certificate validation. Similar occurrences have been found and
documented in other open source projects, the research can be found at

- imap-send.c

Line 307

 307   ret = SSL_connect(sock->ssl);
 308   if (ret <= 0) {
 309     socket_perror("SSL_connect", sock, ret);
 310     return -1;
 311   }

Certificate validation errors are signaled either through return
values of SSL_connect or by setting internal flags. The internal flags
need to be checked using the SSL_get_verify_result function. This is
not performed.

Kindly fix these issues, file a CVE and credit it to Dhanesh K. and
Zubin Mithra. Thanks.

We are not subscribed to this list, so we'd appreciate it if you could
CC us in the replies.

Hope this helps.


[1] http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to