oss-sec mailing list archives
Re: CVE Request: evolution-data-server lacks SSL checking in its libsoup users
From: Marcus Meissner <meissner () suse de>
Date: Fri, 4 May 2012 10:03:11 +0200
On Thu, May 03, 2012 at 05:27:02PM +0200, Marcus Meissner wrote:
Hi, The libsoup SSL certificate checking problem Ludwig exposed is drawing some circles. I started looking at the libsoup users, first one is evolution-data-server, None of the libsoup users there seem to handle SSL certificate trust correctly (or at all) in my eyes. In version 2.28 these are. Groupwise protocol handling (server/groupwise/e-gw-connection.c) Exchange protocol handling (server/exchange/lib/e2k-context.c) Google (servers/google/libgdata-google/gdata-google-service.c) calendar/backends/http/e-cal-backend-http.c calendar/backends/caldav/e-cal-backend-caldav.c I do not fully understand the correct solution to this yet though, whether we need to pass in additional flags, or evaluate the "trusted" flag after the connect. https://bugzilla.novell.com/show_bug.cgi?id=760517
This was already reported: https://bugzilla.gnome.org/show_bug.cgi?id=671537 https://launchpad.net/bugs/933659 (private still) so it might have a CVE already. Ciao, Marcus
Current thread:
- CVE Request: evolution-data-server lacks SSL checking in its libsoup users Marcus Meissner (May 03)
- Re: CVE Request: evolution-data-server lacks SSL checking in its libsoup users Marcus Meissner (May 04)
- Re: CVE Request: evolution-data-server lacks SSL checking in its libsoup users Steve Beattie (May 04)
- Re: CVE Request: evolution-data-server lacks SSL checking in its libsoup users Kurt Seifried (May 04)
- Re: CVE Request: evolution-data-server lacks SSL checking in its libsoup users Marcus Meissner (May 04)
- Re: CVE Request: evolution-data-server lacks SSL checking in its libsoup users Kurt Seifried (May 05)
- Re: CVE Request: evolution-data-server lacks SSL checking in its libsoup users Steve Beattie (May 04)
- Re: CVE Request: evolution-data-server lacks SSL checking in its libsoup users Marcus Meissner (May 04)