oss-sec mailing list archives
[CVE Assignment Notification] CVE-2013-0240 - Gnome Online Accounts (GOA) (previously) failed to verify SSL certificates when creating e.g. Windows Live or Facebook accounts
From: Jan Lieskovsky <jlieskov () redhat com>
Date: Tue, 5 Feb 2013 11:12:59 -0500 (EST)
Hello Steve, vendors, it was found that Gnome Online Accounts (GOA) did not perform SSL certificate validation, when performing Windows Live and Facebook accounts creation. A remote attacker could use this flaw to conduct man-in-the-middle (MiTM) attacks, possibly leading to their ability to obtain sensitive information. The CVE identifier of CVE-2013-0240 has been assigned to this issue. Relevant upstream patch: [1] http://git.gnome.org/browse/gnome-online-accounts/commit/?id=edde7c63326242a60a075341d3fea0be0bc4d80e References: [2] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-0240 The issue was found (and reported internally to Red Hat bugzilla) by Simon McVittie. Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team
Current thread:
- [CVE Assignment Notification] CVE-2013-0240 - Gnome Online Accounts (GOA) (previously) failed to verify SSL certificates when creating e.g. Windows Live or Facebook accounts Jan Lieskovsky (Feb 05)