Hi developers:
Nowadays we made a large scale security static analysis on several open source projects, and found some mistakes in r-cran-rsclient_0.7-3. In the @src/cli.c:146:
static int tls_upgrade(rsconn_t *c) {
SSL *ssl;
SSL_CTX ctx;
if (first_tls)
init_tls();
ctx = SSL_CTX_new(SSLv23_client_method());
SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
c->tls = ssl = SSL_new(ctx);
c->send = tls_send;
c->recv = tls_recv;
SSL_set_fd(ssl, c->s);
/ SSL_CTX_free(ctx) // check whether this is safe - it should be since ssl has the reference ... */
return SSL_connect(ssl);
}

When finish the SSL connect, you immedicately start to execute read/write operation without verify certificate,which can lead to MITM attack and cause leakage of sensitive data.We recommand you add verify operation such as SSL_CTX_set_verify or SSL_get_peer_certificate to guarantee the security.We have send the bug report to Ubuntu launchpad,and also inform you of such news.Here are the link:

https://bugs.launchpad.net/ubuntu/+source/r-cran-rsclient/+bug/1677493