Comments (10)
Seldaek
commented on May 29, 2024
1
BTW Nov 2 bundle is out and I can confirm that finally the google domain issue is resolved so no more hacky restoration of deleted certs needed. We now use the raw bundle.
from ca-bundle.
Seldaek
commented on May 29, 2024
Fixed in 1.0.2 by a2995e5
from ca-bundle.
Seldaek
commented on May 29, 2024
See also cakephp/cakephp#8608 (comment) for details
from ca-bundle.
JanPetterMG
commented on May 29, 2024
Has anyone ever verified this issue?
And why isn't it using CaBundle::getBundledCaBundlePath()?
As far as I can see, there is a possibility that the above test was using a local system ca-bundle instead of the now patched ca-bundle provided by this library. What path did it return, that's essential to know in cases like these.
For the sake of security, we need to be 100% sure it's a composer/ca-bundle problem before we patch anything!
from ca-bundle.
janedbal
commented on May 29, 2024
@JanPetterMG I'm able to reproduce this issue even now on PHP 5.6 with getBundledCaBundlePath when using composer/ca-bundle 1.0.1. The issue disappears when I switch to PHP 7, which is weird to me (maybe some relation to bundled openssl in PHP 7?)
from ca-bundle.
JanPetterMG
commented on May 29, 2024
@janedbal Okay, then it's verified and we're all good 👍
It's all about the security. If I can't trust the changes, I can't trust the library either, that simple it is...
from ca-bundle.
JanPetterMG
commented on May 29, 2024
I can't verify this myself, no errors at all. Tested both v1.0.1 (bundle 2016-01-20) and PR #6 (bundle 2016-04-20). Running PHP v5.6.20. It might be the setup?
I would really appreciate if a 3rd person could test if this issue is still present in PR #6.
from ca-bundle.
Seldaek
commented on May 29, 2024
I can confirm that I can still reproduce the issue with the new CAbundle, so the new release still comes with Equifax added.. http://security.stackexchange.com/a/53271 has some details about this but I haven't read in depth.
from ca-bundle.
janedbal
commented on May 29, 2024
@Seldaek Are you sure? I'm still experiencing the same issue even on the Nov 2 bundle tagged as 1.0.5 (PHP 5.6 with getBundledCaBundlePath). Version 1.0.4 works fine. On PHP 7, everything is ok as mentioned before.
from ca-bundle.
Seldaek
commented on May 29, 2024
Ah crap I forgot it was working with php7 sorry.. Didn't test with <7. I guess we'll have to restore the cert again then.
from ca-bundle.
Related Issues (16)
- Copying bundle outside of Phar HOT 11
- Homebrew OS X certificates are not loaded. HOT 4
- Consider using openssl_get_cert_locations HOT 2
- Automatic updating of cacert.pem? HOT 3
- "Portable" `openssl.cafile` location fails to be detected properly on Windows HOT 1
- Missing Changelog HOT 1
- Problem after updating to 1.2.0 version HOT 19
- CA bundle of OpenSSL on Mac OS X not included in CA bundle paths
- Ca-bundle missed new versions of Homebrew OSx HOT 3
- class CaBundle does not extends from class Bundle -> BundleInterface HOT 6
- Attempted to call an undefined method named "getName" of class "Composer\CaBundle\CaBundle" HOT 4
- Error on composer require HOT 4
- Logs for unreadable/non-existent certificates HOT 3
- open_basedir restriction not handled HOT 5
- [PHP 8.4] Implicit nullable parameter type fixes HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ca-bundle.