Re: 1.9.0-beta1 may accept invalid certificates
On 10.05.2015 21:23, Stefan Sperling wrote:
> On Sun, May 10, 2015 at 04:05:16PM +0000, Daniel Shahaf wrote:
>> Subversion 1.9.0-beta1 may accept invalid SSL certificates presented by
>> servers in certain conditions: if both --non-interactive and --trust-foo
>> were passed, and the certificate has two failures, both the 'foo'
>> failure and some other failure.
>> In this context, a 'failure' corresponds to one of the 1.9.x cmdline
>> client's --trust-* option flags.
>> This issue is not present in any GA release (1.8.x or earlier) and will
>> not be present in 1.9.0 final.
>> (handling this publicly since it doesn't affect any GA release; normally
>> we handle security issues privately)
> Sorry! I think I wrote this... oops.
> And thank you very much for catching it before dot zero GA!
Yup. FWIW, RC-1 has the same problem, but RC2 will not (assuming we all
vote for the backport).
Received on 2015-05-10 21:45:37 CEST
This is an archived mail posted to the Subversion Dev