projects / buildroot.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 7f4429d) | patch
package/rsync: fix CVE-2020-14387
authorFabrice Fontaine <fontaine.fabrice@gmail.com>
Sat, 12 Jun 2021 12:02:10 +0000 (14:02 +0200)
committerPeter Korsgaard <peter@korsgaard.com>
Sat, 12 Jun 2021 14:26:00 +0000 (16:26 +0200)
commit5d5c619410bdb164ce0371e81e67ac3157e63394
tree5c03ff43cd28b114c5e1a78904f33378fdcaa45ctree
parent7f4429dd907868bcbe09ebcfb4aa40f77b3d5acccommit | diff
package/rsync: fix CVE-2020-14387

A flaw was found in rsync in versions since 3.2.0pre1. Rsync improperly
validates certificate with host mismatch vulnerability. A remote,
unauthenticated attacker could exploit the flaw by performing a
man-in-the-middle attack using a valid certificate for another hostname
which could compromise confidentiality and integrity of data transmitted
using rsync-ssl. The highest threat from this vulnerability is to data
confidentiality and integrity. This flaw affects rsync versions before
3.2.4.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[Peter: add a comment explaining what patch fixes this CVE]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
package/rsync/0001-rsync-ssl-Verify-the-hostname-in-the-certificate-when-using-openssl.patch [new file with mode: 0644] blob
package/rsync/rsync.mk diff | blob | history