Warning vulnerability in elog : no SSL certificate verify

Shopping Ruan rlq1969612634 at gmail.com
Fri Mar 31 10:38:16 UTC 2017

Hi developers:
  Nowdays we made a large scale security static analysis on several open
source projects,and found some mistakes in elog-3.1.1-1.In the at src
   int ssl_connect(int sock, SSL ** ssl_con)
     SSL_METHOD *meth;
     SSL_CTX *ctx;


     meth = (SSL_METHOD *) TLSv1_method();
     ctx = SSL_CTX_new(meth);

     *ssl_con = SSL_new(ctx);
     SSL_set_fd(*ssl_con, sock);
     if (SSL_connect(*ssl_con) <= 0)
      return -1;

    return 0;
   When finish the SSL connect, you immedicately start to execute
read/write operation without verify certificate,which can lead to MITM
attack and cause leakage of sensitive data.We recommand you add verify
operation such as SSL_CTX_set_verify or SSL_get_peer_certificate to
guarantee the security.We have send the bug report to Ubuntu launchpad,and
also inform you of such news.Here are the link:

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-devel-discuss/attachments/20170331/2f0a6fbe/attachment.html>

More information about the Ubuntu-devel-discuss mailing list