View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0000443 | bareos-core | installer / packages | public | 2015-03-24 02:54 | 2023-03-23 16:33 |
| Reporter | aef | Assigned To | bruno-at-bareos | ||
| Priority | normal | Severity | major | Reproducibility | always |
| Status | closed | Resolution | fixed | ||
| Summary | 0000443: Download site not available through HTTPS | ||||
| Description | Both the Bareos main website ( https://www.bareos.org/ ) and the bug tracker ( https://bugs.bareos.org/ ) are available through HTTPS. Strangely enough, the domain which serves all the software packages and cryptographic OpenPGP keys for code signature verification ( https://download.bareos.org/ ) is NOT available through HTTPS. An attacker could therefore easily send your customers different OpenPGP keys and/or manipulated software packages which could very well result in a complete compromise in that customer's IT infrastructure. After all, we are talking about an enterprise backup system that usually has full access to filesystems on machines it is deployed on. | ||||
| Steps To Reproduce | 1. Visit https://download.bareos.org/ 2. A TLS warning appears complaining about the fact that the used X.509 certificate is only valid for the domain www.bareos.org and not download.bareos.org. | ||||
| Additional Information | Seriously, please fix this. Here are some possible solutions: 1. Install an additional certificate X.509 certificate for download.bareos.org. 2. Install a wildcard X.509 certificate which is valid for all the above-mentioned domains. 3. Serve your software packages and cryptographic OpenPGP keys through www.bareos.org. | ||||
| Tags | No tags attached. | ||||
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2015-03-24 02:54 | aef | New Issue | |
| 2015-03-31 10:46 | pstorz | Assigned To | => pstorz |
| 2015-03-31 10:46 | pstorz | Status | new => acknowledged |
| 2015-03-31 14:55 | pstorz | Assigned To | pstorz => |
| 2023-03-23 16:33 | bruno-at-bareos | Assigned To | => bruno-at-bareos |
| 2023-03-23 16:33 | bruno-at-bareos | Status | acknowledged => closed |
| 2023-03-23 16:33 | bruno-at-bareos | Resolution | open => fixed |
| 2023-03-23 16:33 | bruno-at-bareos | Note Added: 0004944 |
