oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CVE Request: libsoup 2.32.2 sets ssl trusted flag despite no verification

From: Kurt Seifried <kseifried () redhat com>
Date: Tue, 24 Apr 2012 09:21:34 -0600
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/24/2012 04:04 AM, Ludwig Nussel wrote:

Hi,

libsoup 2.32.2 does not verify certificates at all if an
application does not explicitly specify a file with trusted root
CA's. Since that libsoup version relies on the verification failure
to clear the trust flag it always considers ssl connections as
trusted in that case.

Reference: https://bugzilla.novell.com/show_bug.cgi?id=758431

cu Ludwig



Please use CVE-2012-2132 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPlsT+AAoJEBYNRVNeJnmTNYQP+QE8Q0HawkuCX49P+65ye2x7
O0/eRhG9GWs7s1D3i/QsOTMjdnF2Ng18RGrvXCsdFdXhSjgoLQiNFCds3LNPNNqm
a0suMHDEnBrpdwcargVI28KEZ84Uj+7A7ztFW+olt3Sdi7JCjJz/3oY9Rass1wQf
35EhtKg9N8I5jTBOGCWjanNis82J4aO+IrG510QyuwpKAw1QsP+tIqEUtta2IKDS
f4rHGjiMtBU2cb+BELN02clKrgV/OPLTbOqRUsJZqvX7VIeJ070ZfpX1P+b3bA3E
1v33/iIkxdxVDtOMT1jcF2xX+/koR4h42r7m4BXgZiyOXyJtQpKeSQyXZ8g1OBeL
sv8Avo7f1t9bUy7ZzL2d97A4Gb6fTqmH9kWI9Ofrbo9+WVWGYFNb0nLuOfyONlR/
OUt6S/mCJAmwsgprgcTCFTxqfpbRfxfJA1hItrcoX3qS1nwhao4/Er1ujHL20xGU
RMvmQcyklBPzau87yx7LbaHAd4tOQY+PQgPp0TiKVoXRn9c8WqNIoYMk9rpH06Af
GbRcWcuBAY4ZbgMSkGBn/xAfMsv5tn4dpPmqFXnO7fKKumQhB1Opx7iBjWtCGCr3
uzX1tOi7fP3pQsla1Yxet+L1hXmarvEZB1ken2i67+vqJo/56UiBRCZkVxZutG6l
2y3AoSDvU7i+tuwyigte
=zTR+
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: