Eric Christensen of Red Hat Product Security reported [1] that Duplicity did not handle wildcard certificates properly. If Duplicity were to connect to a remote host that used a wildcard certificate, and the hostname does not match the wildcard, it would still consider the connection valid. The example of which is provided: $ openssl s_client -connect s3-1-w.amazonaws.com:443 -crlf CONNECTED(00000003) depth=3 C = US, O = "VeriSign, Inc.", OU = Class 3 Public Primary Certification Authority verify return:1 depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5 verify return:1 depth=1 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = Terms of use at https://www.verisign.com/rpa (c)10, CN = VeriSign Class 3 Secure Server CA - G3 verify return:1 depth=0 C = US, ST = Washington, L = Seattle, O = Amazon.com Inc., CN = *.s3.amazonaws.com verify return:1 --- Certificate chain 0 s:/C=US/ST=Washington/L=Seattle/O=Amazon.com Inc./CN=*.s3.amazonaws.com i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3 i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority In this instance, the domain being connected to is not *.s3.amazonaws.com, but s3-1-w.amazonaws.com. There is currently no upstream fix. [1] https://bugs.launchpad.net/duplicity/+bug/1314234 Acknowledgements: This issue was discovered by Eric Christensen of Red Hat Product Security.
Created duplicity tracking bugs for this issue: Affects: fedora-all [bug 1110003] Affects: epel-all [bug 1110004]
Do you have information why https://bugs.launchpad.net/duplicity/+bug/1314234 does not work? Is this embargoed issue?
Indeed it is. I don't know why it still is. We had communicated quite clearly that we didn't want to sit on this forever and had a deadline that we missed twice I think. When this bug was filed public, I let them know so I'm not sure why they've not opened it up yet.
Not sure I can do much without an upstream fix. So I guess I will just wait unless someone else provides a patch
I contacted upstream. Reference URL is now open.
Subscribed. Thanks!
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.