group.of.nepali.translators team mailing list archive

[Nish Aravamudan <nish.aravamudan@xxxxxxxxxxxxx>]

** Also affects: nghttp2 (Ubuntu Xenial)
   Importance: Undecided
       Status: New

** Changed in: nghttp2 (Ubuntu)
       Status: New => Fix Released

** Changed in: nghttp2 (Ubuntu Xenial)
       Status: New => Confirmed

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1677958

Title:
  no SSL certificate verify

Status in nghttp2 package in Ubuntu:
  Fix Released
Status in nghttp2 source package in Xenial:
  Confirmed

Bug description:
  Hi developers:
      We made a large scale security static analysis on several open source projects, and found some mistakes in nghttp2 1.7.1. In the @example/client.c:539:
      static void fetch_uri(const struct URI *uri) {
  {
     [...]
     ssl_ctx = SSL_CTX_new(SSLv23_client_method());
     if (ssl_ctx == NULL) {
       dief("SSL_CTX_new", ERR_error_string(ERR_get_error(), NULL));
     }
     init_ssl_ctx(ssl_ctx);
     ssl = SSL_new(ssl_ctx);
     if (ssl == NULL) {
       dief("SSL_new", ERR_error_string(ERR_get_error(), NULL));
     }
     /* To simplify the program, we perform SSL/TLS handshake in blocking
       I/O. */
     ssl_handshake(ssl, fd);
     [...]
  }

      The function ssl_handshake(ssl, fd) achieve SSL_connect(ssl). When
  finish the SSL connect, you immedicately start to execute read/write
  operation without verify certificate,which can lead to MITM attack and
  cause leakage of sensitive data.We recommand you add verify operation
  such as SSL_CTX_set_verify or SSL_get_peer_certificate to guarantee
  the security.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nghttp2/+bug/1677958/+subscriptions