Date: Wed, 7 Mar 2018 14:53:07 +0100 From: Raphael Geissert <atomo64@...il.com> To: Open Source Security <oss-security@...ts.openwall.com> Cc: security@...e.de, avi.miller@...il.com, security@...are.com Subject: And Harbor? (was: Portus, missing certificate validation on proxified https traffic) On 7 March 2018 at 14:34, Raphael Geissert <atomo64@...il.com> wrote: [...] > Oh and it appears that this one comes from the > Portus-On-OracleLinux7 repo from which "[they] borrowed a lot of > the NGinx configuration" : > https://github.com/Djelibeybi/Portus-On-OracleLinux7/blob/f2e7a167f6325a0247eb1ca49a962478daf49a8b/nginx/proxy.conf#L57 >From a quick look at harbor, it would appear to also be missing the certificate validation on the proxified connections: https://github.com/vmware/harbor/tree/master/make/common/templates/nginx (as of 19a13e8) CC'ing vmware security, fwiw. > https://github.com/SUSE/Portus/blob/146076d543e8f1618f837dd7466c5f0fdc26438d/examples/compose/nginx/nginx.conf > https://github.com/SUSE/Portus/blob/146076d543e8f1618f837dd7466c5f0fdc26438d/examples/compose/README.md > https://github.com/SUSE/Portus/blob/146076d543e8f1618f837dd7466c5f0fdc26438d/examples/compose/docker-compose.yml#L21 >  https://github.com/Djelibeybi/Portus-On-OracleLinux7 Cheers, -- Raphael Geissert
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ