Moritz Buhl: > this diff fixes CVE-2020-14387 for net/rsync.
The same change was committed upstream: https://github.com/WayneD/rsync/commit/c3f7414c450faaf6a8281cc4a4403529aeb7d859 However... > +- exec $RSYNC_SSL_OPENSSL s_client $caopt $certopt -quiet -verify_quiet > -servername $hostname -connect $hostname:$port > ++ exec $RSYNC_SSL_OPENSSL s_client $caopt $certopt -quiet -verify_quiet > -servername $hostname -verify_hostname $hostname -connect $hostname:$port ... LibreSSL's openssl(1) doesn't appear to support the -verify_hostname option. So this change would break rsync-ssl for us. And actually, -verify_quiet doesn't exist either, so this is already broken. -- Christian "naddy" Weisgerber [email protected]
