oss-sec mailing list archives
Re: CVE Request: libsoup 2.32.2 sets ssl trusted flag despite no verification
From: Marc Deslauriers <marc.deslauriers () canonical com>
Date: Mon, 30 Apr 2012 19:34:48 -0400
On Tue, 2012-04-24 at 12:04 +0200, Ludwig Nussel wrote:
Hi, libsoup 2.32.2 does not verify certificates at all if an application does not explicitly specify a file with trusted root CA's. Since that libsoup version relies on the verification failure to clear the trust flag it always considers ssl connections as trusted in that case. Reference: https://bugzilla.novell.com/show_bug.cgi?id=758431
Here is an upstream bug about the issue. https://bugzilla.gnome.org/show_bug.cgi?id=666280 Marc.
Current thread:
- CVE Request: libsoup 2.32.2 sets ssl trusted flag despite no verification Ludwig Nussel (Apr 24)
- Re: CVE Request: libsoup 2.32.2 sets ssl trusted flag despite no verification Kurt Seifried (Apr 24)
- Re: CVE Request: libsoup 2.32.2 sets ssl trusted flag despite no verification Vincent Danen (Apr 30)
- Re: CVE Request: libsoup 2.32.2 sets ssl trusted flag despite no verification Ludwig Nussel (May 02)
- Re: CVE Request: libsoup 2.32.2 sets ssl trusted flag despite no verification Vincent Danen (May 02)
- Re: CVE Request: libsoup 2.32.2 sets ssl trusted flag despite no verification Ludwig Nussel (May 02)
- Re: CVE Request: libsoup 2.32.2 sets ssl trusted flag despite no verification Marc Deslauriers (Apr 30)