<div dir="ltr"><p id="gmail-yui_3_10_3_1_1490948538069_1629" style="margin:0px 0px 1.2em;padding:0px;width:auto;max-width:45em;color:rgb(51,51,51);font-family:monospace;font-size:12px">Hi developers:<br>   Nowadays we made a large scale security static analysis on several open source projects, and found some mistakes in uhub_0.4.1. In the @src/network/<wbr>openssl.<wbr>c:245:<br>  ssize_t net_con_<wbr>ssl_handshake(<wbr>struct net_connection* con, enum  net_con_ssl_mode ssl_mode, struct ssl_context_handle* ssl_ctx)<br>{<br> [...]<br> else<br> {<br>  handle->ssl = SSL_new(<wbr>SSL_CTX_<wbr>new(TLSv1_<wbr>method(<wbr>)));<br>  SSL_set_<wbr>fd(handle-<wbr>>ssl, con->sd);<br>  handle->bio = SSL_get_<wbr>rbio(handle-<wbr>>ssl);<br>  con->ssl = (struct ssl_handle*) handle;<br>  return net_con_<wbr>ssl_connect(<wbr>con);<br> }</p><p style="margin:0px 0px 1.2em;padding:0px;width:auto;max-width:45em;color:rgb(51,51,51);font-family:monospace;font-size:12px">  You do SSL_connect(ssl) in net_con_<wbr>ssl_connect(<wbr>con) and when finish this step, you immedicately start to execute read/write operation without verify certificate,which can lead to MITM attack and cause leakage of sensitive data.We recommand you add verify operation such as SSL_CTX_set_verify or SSL_get_<wbr>peer_certificat<wbr>e to guarantee the security.                    We have send the bug report to Ubuntu launchpad,and also inform you of such news.Here are the link:</p><p style="margin:0px 0px 1.2em;padding:0px;width:auto;max-width:45em"><font color="#333333" face="monospace"><span style="font-size:12px"><a href="https://bugs.launchpad.net/ubuntu/+source/uhub/+bug/1677495">https://bugs.launchpad.net/ubuntu/+source/uhub/+bug/1677495</a></span></font><br></p></div>