oss-sec mailing list archives
Re: CVE Request: evolution-data-server lacks SSL checking in its libsoup users
From: Marcus Meissner <meissner () suse de>
Date: Fri, 4 May 2012 21:44:52 +0200
On Fri, May 04, 2012 at 10:03:20AM -0600, Kurt Seifried wrote:
On 05/04/2012 02:30 AM, Steve Beattie wrote:On Fri, May 04, 2012 at 10:03:11AM +0200, Marcus Meissner wrote:This was already reported: https://bugzilla.gnome.org/show_bug.cgi?id=671537 https://launchpad.net/bugs/933659 (private still) so it might have a CVE already.I've made the launchpad bug public now. There was no CVE assigned in that report. Thanks.Shouldn't these all be covered by the libsoup CVE:libsoup 2.32.2 does not verify certificates at all if an application does not explicitly specify a file with trusted root CA's. Since that libsoup version relies on the verification failure to clear the trust flag it always considers ssl connections as trusted in that case. Reference: https://bugzilla.novell.com/show_bug.cgi?id=758431 cu LudwigPlease use CVE-2012-2132 for this issue.
That really depends if it is the task of libsoup or the task of the applications I think. So who is lacking the checks... Our opinion is that the default should be "good" in libsoup, so a CVE is needed there in all cases. Ciao, Marcus
Current thread:
- CVE Request: evolution-data-server lacks SSL checking in its libsoup users Marcus Meissner (May 03)
- Re: CVE Request: evolution-data-server lacks SSL checking in its libsoup users Marcus Meissner (May 04)
- Re: CVE Request: evolution-data-server lacks SSL checking in its libsoup users Steve Beattie (May 04)
- Re: CVE Request: evolution-data-server lacks SSL checking in its libsoup users Kurt Seifried (May 04)
- Re: CVE Request: evolution-data-server lacks SSL checking in its libsoup users Marcus Meissner (May 04)
- Re: CVE Request: evolution-data-server lacks SSL checking in its libsoup users Kurt Seifried (May 05)
- Re: CVE Request: evolution-data-server lacks SSL checking in its libsoup users Steve Beattie (May 04)
- Re: CVE Request: evolution-data-server lacks SSL checking in its libsoup users Marcus Meissner (May 04)