Re: CVE Request: evolution-data-server lacks SSL checking in its libsoup users

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/04/2012 02:30 AM, Steve Beattie wrote:
> On Fri, May 04, 2012 at 10:03:11AM +0200, Marcus Meissner wrote:
> > This was already reported: 
> > https://bugzilla.gnome.org/show_bug.cgi?id=671537 
> > https://launchpad.net/bugs/933659   (private still)
> >
> > so it might have a CVE already.
>
> I've made the launchpad bug public now. There was no CVE assigned 
> in that report.
>
> Thanks.

Shouldn't these all be covered by the libsoup CVE:

> libsoup 2.32.2 does not verify certificates at all if an 
> application does not explicitly specify a file with trusted root 
> CA's. Since that libsoup version relies on the verification
> failure to clear the trust flag it always considers ssl connections
> as trusted in that case.
>
> Reference: https://bugzilla.novell.com/show_bug.cgi?id=758431
>
> cu Ludwig
Please use CVE-2012-2132 for this issue.



- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPo/3IAAoJEBYNRVNeJnmTtPkQAKI4X13+7i3fStpzFpHamaUi
5/xgP6q+2ln/XVk11v4M6hN0VTr2gITPFk51x+MVnm+i9uBd8s5EtovrueA+eE8t
bISTs6WSDDFrpOlR3nW1DN65bW9WT75dp1c4ehWZJXDtlOIeYAjKh+Avc0lxLLVM
KeIaTv5nFHGaTth6ajreuW3esDYXAZ/mTlEfdyiUq2+6JtqE8TVl4sXRN0GOl7Ra
wlBE8M28C3p8aqyeY5Esxq3chLNFF7WFaMkOkgNv5okpFrJ+QQ/8lT1nOf4pPgm8
ndDk69ICcNkfFerBxNY58Qb8BLD022qJOAaYsbAfty1//gLXtUjqf5Zq/c2o3DJ4
EaClDiLPAjwbc6T5JlDyatTdwLNlFDdziJTk3f0TU9Qffx7adbeCyPIA42GCnQp5
pS+xsAIayCW3S7cAT/quy4F7dOppSWJ9qT4wJjCvIvQejnOS4qmQNL7GLac4REgU
wMYYW6DKGWb0zOW0WTP58IC+Ros3nK+YiHyyg8tpG9SvtGC7L8CE532Y1eXwZT9/
WccuEL3gQ9zOl3Y9EmTkj/770+msIRyjRQmuKpGwk/oUuKANlIfy4LwdSgD/PiGG
3jlIZjdNOic6OM0N3TKbvDuKp+tBy41lYig1e4AGSpPeX5oFF380MERWw+GZFx2+
dyiNsiZOsrcJTOYCKAMd
=WbnO
-----END PGP SIGNATURE-----