oss-sec mailing list archives
Re: CVE Request: libsoup 2.32.2 sets ssl trusted flag despite no verification
From: Kurt Seifried <kseifried () redhat com>
Date: Tue, 24 Apr 2012 09:21:34 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 04/24/2012 04:04 AM, Ludwig Nussel wrote:
Hi, libsoup 2.32.2 does not verify certificates at all if an application does not explicitly specify a file with trusted root CA's. Since that libsoup version relies on the verification failure to clear the trust flag it always considers ssl connections as trusted in that case. Reference: https://bugzilla.novell.com/show_bug.cgi?id=758431 cu Ludwig
Please use CVE-2012-2132 for this issue. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPlsT+AAoJEBYNRVNeJnmTNYQP+QE8Q0HawkuCX49P+65ye2x7 O0/eRhG9GWs7s1D3i/QsOTMjdnF2Ng18RGrvXCsdFdXhSjgoLQiNFCds3LNPNNqm a0suMHDEnBrpdwcargVI28KEZ84Uj+7A7ztFW+olt3Sdi7JCjJz/3oY9Rass1wQf 35EhtKg9N8I5jTBOGCWjanNis82J4aO+IrG510QyuwpKAw1QsP+tIqEUtta2IKDS f4rHGjiMtBU2cb+BELN02clKrgV/OPLTbOqRUsJZqvX7VIeJ070ZfpX1P+b3bA3E 1v33/iIkxdxVDtOMT1jcF2xX+/koR4h42r7m4BXgZiyOXyJtQpKeSQyXZ8g1OBeL sv8Avo7f1t9bUy7ZzL2d97A4Gb6fTqmH9kWI9Ofrbo9+WVWGYFNb0nLuOfyONlR/ OUt6S/mCJAmwsgprgcTCFTxqfpbRfxfJA1hItrcoX3qS1nwhao4/Er1ujHL20xGU RMvmQcyklBPzau87yx7LbaHAd4tOQY+PQgPp0TiKVoXRn9c8WqNIoYMk9rpH06Af GbRcWcuBAY4ZbgMSkGBn/xAfMsv5tn4dpPmqFXnO7fKKumQhB1Opx7iBjWtCGCr3 uzX1tOi7fP3pQsla1Yxet+L1hXmarvEZB1ken2i67+vqJo/56UiBRCZkVxZutG6l 2y3AoSDvU7i+tuwyigte =zTR+ -----END PGP SIGNATURE-----
Current thread:
- CVE Request: libsoup 2.32.2 sets ssl trusted flag despite no verification Ludwig Nussel (Apr 24)
- Re: CVE Request: libsoup 2.32.2 sets ssl trusted flag despite no verification Kurt Seifried (Apr 24)
- Re: CVE Request: libsoup 2.32.2 sets ssl trusted flag despite no verification Vincent Danen (Apr 30)
- Re: CVE Request: libsoup 2.32.2 sets ssl trusted flag despite no verification Ludwig Nussel (May 02)
- Re: CVE Request: libsoup 2.32.2 sets ssl trusted flag despite no verification Vincent Danen (May 02)
- Re: CVE Request: libsoup 2.32.2 sets ssl trusted flag despite no verification Ludwig Nussel (May 02)
- Re: CVE Request: libsoup 2.32.2 sets ssl trusted flag despite no verification Marc Deslauriers (Apr 30)