On 10.05.2015 21:23, Stefan Sperling wrote: > On Sun, May 10, 2015 at 04:05:16PM +0000, Daniel Shahaf wrote: >> Subversion 1.9.0-beta1 may accept invalid SSL certificates presented by >> servers in certain conditions: if both --non-interactive and --trust-foo >> were passed, and the certificate has two failures, both the 'foo' >> failure and some other failure. >> >> In this context, a 'failure' corresponds to one of the 1.9.x cmdline >> client's --trust-* option flags. >> >> This issue is not present in any GA release (1.8.x or earlier) and will >> not be present in 1.9.0 final. >> >> Daniel >> (handling this publicly since it doesn't affect any GA release; normally >> we handle security issues privately) >> > Sorry! I think I wrote this... oops. > > And thank you very much for catching it before dot zero GA!
Yup. FWIW, RC-1 has the same problem, but RC2 will not (assuming we all vote for the backport). -- Brane