Andrew Geissler | c926e17 | 2021-05-07 16:11:35 -0500 | [diff] [blame^] | 1 | From fbe85634d88e82fbb439ae2a5d1aca8b8c309bea Mon Sep 17 00:00:00 2001 |
| 2 | From: Matt McCutchen <matt@mattmccutchen.net> |
| 3 | Date: Wed, 26 Aug 2020 12:16:08 -0400 |
| 4 | Subject: [PATCH] rsync-ssl: Verify the hostname in the certificate when using |
| 5 | openssl. |
| 6 | |
| 7 | CVE: CVE-2020-14387 |
| 8 | |
| 9 | Upstream-Status: Backport [https://git.samba.org/?p=rsync.git;a=commit;h=c3f7414] |
| 10 | |
| 11 | Signed-off-by: Chen Qi <Qi.Chen@windriver.com> |
| 12 | --- |
| 13 | rsync-ssl | 2 +- |
| 14 | 1 file changed, 1 insertion(+), 1 deletion(-) |
| 15 | |
| 16 | diff --git a/rsync-ssl b/rsync-ssl |
| 17 | index 8101975..46701af 100755 |
| 18 | --- a/rsync-ssl |
| 19 | +++ b/rsync-ssl |
| 20 | @@ -129,7 +129,7 @@ function rsync_ssl_helper { |
| 21 | fi |
| 22 | |
| 23 | if [[ $RSYNC_SSL_TYPE == openssl ]]; then |
| 24 | - exec $RSYNC_SSL_OPENSSL s_client $caopt $certopt -quiet -verify_quiet -servername $hostname -connect $hostname:$port |
| 25 | + exec $RSYNC_SSL_OPENSSL s_client $caopt $certopt -quiet -verify_quiet -servername $hostname -verify_hostname $hostname -connect $hostname:$port |
| 26 | elif [[ $RSYNC_SSL_TYPE == gnutls ]]; then |
| 27 | exec $RSYNC_SSL_GNUTLS --logfile=/dev/null $gnutls_cert_opt $gnutls_opts $hostname:$port |
| 28 | else |
| 29 | -- |
| 30 | 2.17.1 |
| 31 | |