[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: 1.9.0-beta1 may accept invalid certificates

From: Branko Čibej <brane_at_wandisco.com>
Date: Sun, 10 May 2015 21:44:45 +0200

On 10.05.2015 21:23, Stefan Sperling wrote:
> On Sun, May 10, 2015 at 04:05:16PM +0000, Daniel Shahaf wrote:
>> Subversion 1.9.0-beta1 may accept invalid SSL certificates presented by
>> servers in certain conditions: if both --non-interactive and --trust-foo
>> were passed, and the certificate has two failures, both the 'foo'
>> failure and some other failure.
>>
>> In this context, a 'failure' corresponds to one of the 1.9.x cmdline
>> client's --trust-* option flags.
>>
>> This issue is not present in any GA release (1.8.x or earlier) and will
>> not be present in 1.9.0 final.
>>
>> Daniel
>> (handling this publicly since it doesn't affect any GA release; normally
>> we handle security issues privately)
>>
> Sorry! I think I wrote this... oops.
>
> And thank you very much for catching it before dot zero GA!

Yup. FWIW, RC-1 has the same problem, but RC2 will not (assuming we all
vote for the backport).

-- Brane
Received on 2015-05-10 21:45:37 CEST

This is an archived mail posted to the Subversion Dev mailing list.