Actions
Bug #19033
closed
CVE-2017-2667 - SSL/HTTPS server certificates are not verified by default
Difficulty:
Triaged:
Pull request:
Team Backlog:
Description
HTTPS connections initiated by Hammer to the API server do not perform validation of the server SSL/TLS certificate, allowing for a man-in-the-middle attack against the user.
#12400 has introduced automatic certificate verification when an SSL CA is explicitly configured, but the default for HTTPS connections remains off. It could be verified against the system CA store.
Reported by Tomas Strachota to foreman-security@googlegroups.com.
Updated by Dominic Cleal about 7 years ago
- Related to Bug #12400: Missing option to enable verification of the server certificate. added
Updated by Dominic Cleal about 7 years ago
- Subject changed from SSL/HTTPS server certificates are not verified by default to CVE-2017-2667 - SSL/HTTPS server certificates are not verified by default
Updated by Tomáš Strachota about 7 years ago
- Status changed from New to Assigned
- Assignee set to Tomáš Strachota
Updated by The Foreman Bot about 7 years ago
- Status changed from Assigned to Ready For Testing
- Pull request https://github.com/theforeman/hammer-cli/pull/235 added
Updated by The Foreman Bot about 7 years ago
- Pull request https://github.com/theforeman/hammer-cli-foreman/pull/293 added
Updated by Anonymous about 7 years ago
- Status changed from Ready For Testing to Closed
- % Done changed from 0 to 100
Applied in changeset 74b926ae24f47f1d93b778e06b64935e57b60e33.
Actions