oss-sec mailing list archives
Re: CVE Request: evolution-data-server lacks SSL checking in its libsoup users
From: Kurt Seifried <kseifried () redhat com>
Date: Fri, 04 May 2012 10:03:20 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 05/04/2012 02:30 AM, Steve Beattie wrote:
On Fri, May 04, 2012 at 10:03:11AM +0200, Marcus Meissner wrote:This was already reported: https://bugzilla.gnome.org/show_bug.cgi?id=671537 https://launchpad.net/bugs/933659 (private still) so it might have a CVE already.I've made the launchpad bug public now. There was no CVE assigned in that report. Thanks.
Shouldn't these all be covered by the libsoup CVE:
libsoup 2.32.2 does not verify certificates at all if an application does not explicitly specify a file with trusted root CA's. Since that libsoup version relies on the verification failure to clear the trust flag it always considers ssl connections as trusted in that case. Reference: https://bugzilla.novell.com/show_bug.cgi?id=758431 cu Ludwig
Please use CVE-2012-2132 for this issue. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPo/3IAAoJEBYNRVNeJnmTtPkQAKI4X13+7i3fStpzFpHamaUi 5/xgP6q+2ln/XVk11v4M6hN0VTr2gITPFk51x+MVnm+i9uBd8s5EtovrueA+eE8t bISTs6WSDDFrpOlR3nW1DN65bW9WT75dp1c4ehWZJXDtlOIeYAjKh+Avc0lxLLVM KeIaTv5nFHGaTth6ajreuW3esDYXAZ/mTlEfdyiUq2+6JtqE8TVl4sXRN0GOl7Ra wlBE8M28C3p8aqyeY5Esxq3chLNFF7WFaMkOkgNv5okpFrJ+QQ/8lT1nOf4pPgm8 ndDk69ICcNkfFerBxNY58Qb8BLD022qJOAaYsbAfty1//gLXtUjqf5Zq/c2o3DJ4 EaClDiLPAjwbc6T5JlDyatTdwLNlFDdziJTk3f0TU9Qffx7adbeCyPIA42GCnQp5 pS+xsAIayCW3S7cAT/quy4F7dOppSWJ9qT4wJjCvIvQejnOS4qmQNL7GLac4REgU wMYYW6DKGWb0zOW0WTP58IC+Ros3nK+YiHyyg8tpG9SvtGC7L8CE532Y1eXwZT9/ WccuEL3gQ9zOl3Y9EmTkj/770+msIRyjRQmuKpGwk/oUuKANlIfy4LwdSgD/PiGG 3jlIZjdNOic6OM0N3TKbvDuKp+tBy41lYig1e4AGSpPeX5oFF380MERWw+GZFx2+ dyiNsiZOsrcJTOYCKAMd =WbnO -----END PGP SIGNATURE-----
Current thread:
- CVE Request: evolution-data-server lacks SSL checking in its libsoup users Marcus Meissner (May 03)
- Re: CVE Request: evolution-data-server lacks SSL checking in its libsoup users Marcus Meissner (May 04)
- Re: CVE Request: evolution-data-server lacks SSL checking in its libsoup users Steve Beattie (May 04)
- Re: CVE Request: evolution-data-server lacks SSL checking in its libsoup users Kurt Seifried (May 04)
- Re: CVE Request: evolution-data-server lacks SSL checking in its libsoup users Marcus Meissner (May 04)
- Re: CVE Request: evolution-data-server lacks SSL checking in its libsoup users Kurt Seifried (May 05)
- Re: CVE Request: evolution-data-server lacks SSL checking in its libsoup users Steve Beattie (May 04)
- Re: CVE Request: evolution-data-server lacks SSL checking in its libsoup users Marcus Meissner (May 04)