ASA-202108-8 log original external raw
[ASA-202108-8] fossil: certificate verification bypass |
---|
Arch Linux Security Advisory ASA-202108-8
=========================================
Severity: High
Date : 2021-08-10
CVE-ID : CVE-2021-36377
Package : fossil
Type : certificate verification bypass
Remote : Yes
Link : https://security.archlinux.org/AVG-2146
Summary
=======
The package fossil before version 2.16-1 is vulnerable to certificate
verification bypass.
Resolution
==========
Upgrade to 2.16-1.
# pacman -Syu "fossil>=2.16-1"
The problem has been fixed upstream in version 2.16.
Workaround
==========
None.
Description
===========
Fossil before version 2.15.2 often skips the hostname check during TLS
certificate validation.
Impact
======
A man-in-the-middle attacker could spoof a Fossil repository by
presenting any valid certificate for an arbitrary hostname, leading to
potential information disclosure.
References
==========
https://www.fossil-scm.org/forum/forumpost/8d367e16f53d93c789d70bd3bf2c9587227bbd5c6a7b8e512cccd79007536036
https://www.fossil-scm.org/home/info/aaab2a15d1dfc22f5453c2bad8f25ecf518ed3eef9a7fa6f4c5bd69ab4e4b075
https://security.archlinux.org/CVE-2021-36377
|