Hello,
There seems to be a security issue in the way git uses openssl for
certificate validation. Similar occurrences have been found and
documented in other open source projects, the research can be found at
[1].
-=========]
- imap-send.c
Line 307
307 ret = SSL_connect(sock->ssl);
308 if (ret <= 0) {
309 socket_perror("SSL_connect", sock, ret);
310 return -1;
311 }
312
Certificate validation errors are signaled either through return
values of SSL_connect or by setting internal flags. The internal flags
need to be checked using the SSL_get_verify_result function. This is
not performed.
Kindly fix these issues, file a CVE and credit it to Dhanesh K. and
Zubin Mithra. Thanks.
We are not subscribed to this list, so we'd appreciate it if you could
CC us in the replies.
Hope this helps.
Thanks!
Zubin
[1] http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html