[Expired for pacemaker (Ubuntu) because there has been no activity for
60 days.]
** Changed in: pacemaker (Ubuntu)
Status: Incomplete => Expired
--
You received this bug notification because you are a member of Ubuntu
High Availability Team, which is subscribed to pacemaker in Ubuntu.
https://bugs.launchpad.net/bugs/1380038
Title:
SSL problems: doesn't check certificate chain and hostname when ssl
connecting
Status in pacemaker package in Ubuntu:
Expired
Bug description:
Recently, we are trying to find SSL security problems by static
analysis. For example, as we all know, Hostname verification is an
important step when verifying X509 certificates, however, people tend
to miss the step or to misunderstand the APIs when using SSL/TLS,
which might cause severe man in the middle attack and break the entire
TLS mechanism. And static analysis is a way of finding whether the
APIs are called correctly.
Now, we find some SSL problems in pacemaker, the following is details:
1.
file : /pacemaker-1.1.6/lib/common/remote.c
problem : Certificate chain verification is missing
2.
file : /pacemaker-1.1.6/lib/common/remote.c
problem : Hostname verification is missing
More specifically , we can take hostname check for example, the
function verify_certificate() can only guarantee the validity of the
certificate but cannot guarantee that the host you are trying to
connect is the one you intend to visit, which may lead to man-in-the-
middle attack or other security issues. And other APIs have similar
problems.
PS: for more information, you can see the paper:
http://people.stfx.ca/x2011/x2011ucj/SSL/p38-georgiev.pdf
and more details you can contact with us, my email : [email protected]
Thanks.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pacemaker/+bug/1380038/+subscriptions
_______________________________________________
Mailing list: https://launchpad.net/~ubuntu-ha
Post to : [email protected]
Unsubscribe : https://launchpad.net/~ubuntu-ha
More help : https://help.launchpad.net/ListHelp
