| From fbe85634d88e82fbb439ae2a5d1aca8b8c309bea Mon Sep 17 00:00:00 2001 |
| From: Matt McCutchen <matt@mattmccutchen.net> |
| Date: Wed, 26 Aug 2020 12:16:08 -0400 |
| Subject: [PATCH] rsync-ssl: Verify the hostname in the certificate when using |
| openssl. |
| |
| CVE: CVE-2020-14387 |
| |
| Upstream-Status: Backport [https://git.samba.org/?p=rsync.git;a=commit;h=c3f7414] |
| |
| Signed-off-by: Chen Qi <Qi.Chen@windriver.com> |
| --- |
| rsync-ssl | 2 +- |
| 1 file changed, 1 insertion(+), 1 deletion(-) |
| |
| diff --git a/rsync-ssl b/rsync-ssl |
| index 8101975..46701af 100755 |
| --- a/rsync-ssl |
| +++ b/rsync-ssl |
| @@ -129,7 +129,7 @@ function rsync_ssl_helper { |
| fi |
| |
| if [[ $RSYNC_SSL_TYPE == openssl ]]; then |
| - exec $RSYNC_SSL_OPENSSL s_client $caopt $certopt -quiet -verify_quiet -servername $hostname -connect $hostname:$port |
| + exec $RSYNC_SSL_OPENSSL s_client $caopt $certopt -quiet -verify_quiet -servername $hostname -verify_hostname $hostname -connect $hostname:$port |
| elif [[ $RSYNC_SSL_TYPE == gnutls ]]; then |
| exec $RSYNC_SSL_GNUTLS --logfile=/dev/null $gnutls_cert_opt $gnutls_opts $hostname:$port |
| else |
| -- |
| 2.17.1 |
| |