Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 7 Mar 2018 14:53:07 +0100
From: Raphael Geissert <atomo64@...il.com>
To: Open Source Security <oss-security@...ts.openwall.com>
Cc: security@...e.de, avi.miller@...il.com, security@...are.com
Subject: And Harbor? (was: Portus, missing certificate validation on proxified
 https traffic)

On 7 March 2018 at 14:34, Raphael Geissert <atomo64@...il.com> wrote:
[...]
> Oh and it appears that this one comes from the
> Portus-On-OracleLinux7[4] repo from which "[they] borrowed a lot of
> the NGinx configuration"[2] :
> https://github.com/Djelibeybi/Portus-On-OracleLinux7/blob/f2e7a167f6325a0247eb1ca49a962478daf49a8b/nginx/proxy.conf#L57

>From a quick look at harbor, it would appear to also be missing the
certificate validation on the proxified connections:
https://github.com/vmware/harbor/tree/master/make/common/templates/nginx
(as of 19a13e8)

CC'ing vmware security, fwiw.

> [1]https://github.com/SUSE/Portus/blob/146076d543e8f1618f837dd7466c5f0fdc26438d/examples/compose/nginx/nginx.conf
> [2]https://github.com/SUSE/Portus/blob/146076d543e8f1618f837dd7466c5f0fdc26438d/examples/compose/README.md
> [3]https://github.com/SUSE/Portus/blob/146076d543e8f1618f837dd7466c5f0fdc26438d/examples/compose/docker-compose.yml#L21
> [4] https://github.com/Djelibeybi/Portus-On-OracleLinux7

Cheers,
-- 
Raphael Geissert

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ