Hide Forgot
Related to this bug in Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=816063 See also: https://glyph.twistedmatrix.com/2015/11/editor-malware.html Main concern is that `package.el` will continue despite certificate validation errors, which doesn't seem to be exactly the case on RHEL but the defaults could perhaps be hardened? The commands logged in Wade's paste below show that `gnutls-cli` exits with an error when it detects cert errors, while `openssl` just spits some diagnostics on stderr and allows the user to continue. Quoting wmealing from PS bug 1312922: > RHEL5 wasn't built linked to gnutls.. so... > RHEL6 > RHEL7 throws warnings and asks if you want to continue. > Fedora24 and Fedora25 throw warnings/displays and ask if you want to continue. > > http://pastebin.test.redhat.com/433806 > > Some bad news, it looks like it falls back to openssl to make the connection, > which doesn't fail. Boo.. so while its not the same bug.. its got the same > outcome. > > Maybe not all commands that use TLS will do this kind of fallback though.
Seems to be fixed by http://git.savannah.gnu.org/cgit/emacs.git/commit/?id=ccae04f205db7cffa0f247a463272f6c5af77122.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:3166