oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

And Harbor? (was: Portus, missing certificate validation on proxified https traffic)

From: Raphael Geissert <atomo64 () gmail com>
Date: Wed, 7 Mar 2018 14:53:07 +0100
On 7 March 2018 at 14:34, Raphael Geissert <atomo64 () gmail com> wrote:
[...]

Oh and it appears that this one comes from the
Portus-On-OracleLinux7[4] repo from which "[they] borrowed a lot of
the NGinx configuration"[2] :
https://github.com/Djelibeybi/Portus-On-OracleLinux7/blob/f2e7a167f6325a0247eb1ca49a962478daf49a8b/nginx/proxy.conf#L57



From a quick look at harbor, it would appear to also be missing the

certificate validation on the proxified connections:
https://github.com/vmware/harbor/tree/master/make/common/templates/nginx
(as of 19a13e8)

CC'ing vmware security, fwiw.


[1]https://github.com/SUSE/Portus/blob/146076d543e8f1618f837dd7466c5f0fdc26438d/examples/compose/nginx/nginx.conf
[2]https://github.com/SUSE/Portus/blob/146076d543e8f1618f837dd7466c5f0fdc26438d/examples/compose/README.md
[3]https://github.com/SUSE/Portus/blob/146076d543e8f1618f837dd7466c5f0fdc26438d/examples/compose/docker-compose.yml#L21
[4] https://github.com/Djelibeybi/Portus-On-OracleLinux7


Cheers,
-- 
Raphael Geissert
Previous By Date Next
Previous By Thread Next

Current thread: