View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0000443 | bareos-core | installer / packages | public | 2015-03-24 02:54 | 2015-03-31 14:55 |
Reporter | aef | Assigned To | |||
Priority | normal | Severity | major | Reproducibility | always |
Status | acknowledged | Resolution | open | ||
Summary | 0000443: Download site not available through HTTPS | ||||
Description | Both the Bareos main website ( https://www.bareos.org/ ) and the bug tracker ( https://bugs.bareos.org/ ) are available through HTTPS. Strangely enough, the domain which serves all the software packages and cryptographic OpenPGP keys for code signature verification ( https://download.bareos.org/ ) is NOT available through HTTPS. An attacker could therefore easily send your customers different OpenPGP keys and/or manipulated software packages which could very well result in a complete compromise in that customer's IT infrastructure. After all, we are talking about an enterprise backup system that usually has full access to filesystems on machines it is deployed on. | ||||
Steps To Reproduce | 1. Visit https://download.bareos.org/ 2. A TLS warning appears complaining about the fact that the used X.509 certificate is only valid for the domain www.bareos.org and not download.bareos.org. | ||||
Additional Information | Seriously, please fix this. Here are some possible solutions: 1. Install an additional certificate X.509 certificate for download.bareos.org. 2. Install a wildcard X.509 certificate which is valid for all the above-mentioned domains. 3. Serve your software packages and cryptographic OpenPGP keys through www.bareos.org. | ||||
Tags | No tags attached. | ||||
bareos-master: impact | |||||
bareos-master: action | |||||
bareos-19.2: impact | |||||
bareos-19.2: action | |||||
bareos-18.2: impact | |||||
bareos-18.2: action | |||||
bareos-17.2: impact | |||||
bareos-17.2: action | |||||
bareos-16.2: impact | |||||
bareos-16.2: action | |||||
bareos-15.2: impact | |||||
bareos-15.2: action | |||||
bareos-14.2: impact | |||||
bareos-14.2: action | |||||
bareos-13.2: impact | |||||
bareos-13.2: action | |||||
bareos-12.4: impact | |||||
bareos-12.4: action | |||||