Hi developers: Nowdays we made a large scale security static analysis on several open source projects,and found some mistakes in elog-3.1.1-1.In the@src /elog.c:300: int ssl_connect(int sock, SSL ** ssl_con) { SSL_METHOD *meth; SSL_CTX *ctx;
SSL_library_init(); SSL_load_error_strings(); meth = (SSL_METHOD *) TLSv1_method(); ctx = SSL_CTX_new(meth); *ssl_con = SSL_new(ctx); SSL_set_fd(*ssl_con, sock); if (SSL_connect(*ssl_con) <= 0) return -1; return 0; } When finish the SSL connect, you immedicately start to execute read/write operation without verify certificate,which can lead to MITM attack and cause leakage of sensitive data.We recommand you add verify operation such as SSL_CTX_set_verify or SSL_get_peer_certificate to guarantee the security.We have send the bug report to Ubuntu launchpad,and also inform you of such news.Here are the link: https://bugs.launchpad.net/ubuntu/+source/elog/+bug/1677558
-- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss