Subject: [ASA-202108-8] fossil: certificate verification bypass

Arch Linux Security Advisory ASA-202108-8
=========================================

Severity: High
Date    : 2021-08-10
CVE-ID  : CVE-2021-36377
Package : fossil
Type    : certificate verification bypass
Remote  : Yes
Link    : https://security.archlinux.org/AVG-2146

Summary
=======

The package fossil before version 2.16-1 is vulnerable to certificate
verification bypass.

Resolution
==========

Upgrade to 2.16-1.

# pacman -Syu "fossil>=2.16-1"

The problem has been fixed upstream in version 2.16.

Workaround
==========

None.

Description
===========

Fossil before version 2.15.2 often skips the hostname check during TLS
certificate validation.

Impact
======

A man-in-the-middle attacker could spoof a Fossil repository by
presenting any valid certificate for an arbitrary hostname, leading to
potential information disclosure.

References
==========

https://www.fossil-scm.org/forum/forumpost/8d367e16f53d93c789d70bd3bf2c9587227bbd5c6a7b8e512cccd79007536036
https://www.fossil-scm.org/home/info/aaab2a15d1dfc22f5453c2bad8f25ecf518ed3eef9a7fa6f4c5bd69ab4e4b075
https://security.archlinux.org/CVE-2021-36377