oss-sec mailing list archives
CVE Request: libsoup 2.32.2 sets ssl trusted flag despite no verification
From: Ludwig Nussel <ludwig.nussel () suse de>
Date: Tue, 24 Apr 2012 12:04:24 +0200
Hi, libsoup 2.32.2 does not verify certificates at all if an application does not explicitly specify a file with trusted root CA's. Since that libsoup version relies on the verification failure to clear the trust flag it always considers ssl connections as trusted in that case. Reference: https://bugzilla.novell.com/show_bug.cgi?id=758431 cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg)
Current thread:
- CVE Request: libsoup 2.32.2 sets ssl trusted flag despite no verification Ludwig Nussel (Apr 24)
- Re: CVE Request: libsoup 2.32.2 sets ssl trusted flag despite no verification Kurt Seifried (Apr 24)
- Re: CVE Request: libsoup 2.32.2 sets ssl trusted flag despite no verification Vincent Danen (Apr 30)
- Re: CVE Request: libsoup 2.32.2 sets ssl trusted flag despite no verification Ludwig Nussel (May 02)
- Re: CVE Request: libsoup 2.32.2 sets ssl trusted flag despite no verification Vincent Danen (May 02)
- Re: CVE Request: libsoup 2.32.2 sets ssl trusted flag despite no verification Ludwig Nussel (May 02)
- Re: CVE Request: libsoup 2.32.2 sets ssl trusted flag despite no verification Marc Deslauriers (Apr 30)