Moritz Buhl:
> this diff fixes CVE-2020-14387 for net/rsync.
The same change was committed upstream:
https://github.com/WayneD/rsync/commit/c3f7414c450faaf6a8281cc4a4403529aeb7d859
However...
> +- exec $RSYNC_SSL_OPENSSL s_client $caopt $certopt -quiet -verify_quiet -servername $hostname -connect $hostname:$port
> ++ exec $RSYNC_SSL_OPENSSL s_client $caopt $certopt -quiet -verify_quiet -servername $hostname -verify_hostname $hostname -connect $hostname:$port
... LibreSSL's openssl(1) doesn't appear to support the -verify_hostname
option. So this change would break rsync-ssl for us.
And actually, -verify_quiet doesn't exist either, so this is already
broken.
--
Christian "naddy" Weisgerber naddy@mips.inka.de
No comments:
Post a Comment