oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE Request: libsoup 2.32.2 sets ssl trusted flag despite no verification

From: Ludwig Nussel <ludwig.nussel () suse de>
Date: Tue, 24 Apr 2012 12:04:24 +0200
Hi,

libsoup 2.32.2 does not verify certificates at all if an application does
not explicitly specify a file with trusted root CA's. Since that libsoup
version relies on the verification failure to clear the trust flag it
always considers ssl connections as trusted in that case.

Reference:
https://bugzilla.novell.com/show_bug.cgi?id=758431

cu
Ludwig

-- 
 (o_   Ludwig Nussel
 //\
 V_/_  http://www.suse.de/
SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg)
Previous By Date Next
Previous By Thread Next

Current thread: