OK.Here are the link: https://github.com/monitoring-plugins/monitoring-plugins/issues/1479
Thanks. 2017-03-31 22:01 GMT+08:00 Daniel Llewellyn <dan...@bowlhat.net>: > Thank you for taking the time to report this bug and helping to make > Ubuntu better. The issue you are reporting is an upstream one and it > would be nice if somebody having it could send the bug to the developers > of the software by following the instructions at https://github.com > /monitoring-plugins/monitoring-plugins/issues. If you have done so, > please tell us the number of the upstream bug (or the link), so we can > add a bugwatch that will inform us about its status. Thanks in advance. > > -- > You received this bug notification because you are subscribed to the bug > report. > https://bugs.launchpad.net/bugs/1677951 > > Title: > incomplete SSL certificate verify > > Status in monitoring-plugins package in Ubuntu: > New > > Bug description: > Hi developers: > We made a large scale security static analysis on several open > source projects, and found some mistakes in monitoring-plugins-2.1.2. In > the @plugins/sslutils.c:164: > int np_net_ssl_check_cert(int days_till_exp_warn, int > days_till_exp_crit){ > # ifdef USE_OPENSSL > [...] > certificate=SSL_get_peer_certificate(s); > > if (!certificate) { > printf("%s\n",_("CRITICAL - Cannot retrieve server > certificate.")); > return STATE_CRITICAL; > } > > /* Extract CN from certificate subject */ > subj=X509_get_subject_name(certificate); > [...] > } > > We find that you use SSL_get_peer_certificate() to get the cert > and verify some properties of it.But it still not secure enough and > can lead to MITM attack. To guarantee the security,we recommand you > add the judgement if(SSL_get_verify_result(ssl)==X509_V_OK) to make > sure validation succeeds. > > To manage notifications about this bug go to: > https://bugs.launchpad.net/ubuntu/+source/monitoring- > plugins/+bug/1677951/+subscriptions > ** Bug watch added: github.com/monitoring-plugins/monitoring-plugins/issues #1479 https://github.com/monitoring-plugins/monitoring-plugins/issues/1479 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1677951 Title: incomplete SSL certificate verify To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/monitoring-plugins/+bug/1677951/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
