On Sun, May 10, 2015 at 04:05:16PM +0000, Daniel Shahaf wrote: > Subversion 1.9.0-beta1 may accept invalid SSL certificates presented by > servers in certain conditions: if both --non-interactive and --trust-foo > were passed, and the certificate has two failures, both the 'foo' > failure and some other failure. > > In this context, a 'failure' corresponds to one of the 1.9.x cmdline > client's --trust-* option flags. > > This issue is not present in any GA release (1.8.x or earlier) and will > not be present in 1.9.0 final. > > Daniel > (handling this publicly since it doesn't affect any GA release; normally > we handle security issues privately) >
Sorry! I think I wrote this... oops. And thank you very much for catching it before dot zero GA! > danie...@apache.org wrote on Sun, May 10, 2015 at 15:54:22 -0000: > > Author: danielsh > > Date: Sun May 10 15:54:22 2015 > > New Revision: 1678571 > > > > URL: http://svn.apache.org/r1678571 > > Log: > > * subversion/libsvn_subr/cmdline.c > > (trust_server_cert_non_interactive): Fix false-positive acceptance of > > certificates with multiple failures of which some but not all were > > designated acceptable.