ASA-202108-8: fossil: certificate verification bypass
Arch Linux Security Advisory ASA-202108-8
========================================
Severity: High
Date : 2021-08-10
CVE-ID : CVE-2021-36377
Package : fossil
Type : certificate verification bypass
Remote : Yes
Link : https://security.archlinux.org/AVG-2146
Summary
======
The package fossil before version 2.16-1 is vulnerable to certificate
verification bypass.
Resolution
=========
Upgrade to 2.16-1.
# pacman -Syu "fossil>=2.16-1"
The problem has been fixed upstream in version 2.16.
Workaround
=========
None.
Description
==========
Fossil before version 2.15.2 often skips the hostname check during TLS
certificate validation.
Impact
=====
A man-in-the-middle attacker could spoof a Fossil repository by
presenting any valid certificate for an arbitrary hostname, leading to
potential information disclosure.
References
=========
https://www.fossil-scm.org/forum/forumpost/8d367e16f53d93c789d70bd3bf2c9587227bbd5c6a7b8e512cccd79007536036
https://www.fossil-scm.org/home/info/aaab2a15d1dfc22f5453c2bad8f25ecf518ed3eef9a7fa6f4c5bd69ab4e4b075
https://security.archlinux.org/CVE-2021-36377
A fossil security update has been released for Arch Linux.
