oss-sec mailing list archives
CVE Request: evolution-data-server lacks SSL checking in its libsoup users
From: Marcus Meissner <meissner () suse de>
Date: Thu, 3 May 2012 17:27:02 +0200
Hi,
The libsoup SSL certificate checking problem Ludwig exposed is drawing some
circles.
I started looking at the libsoup users, first one is evolution-data-server,
None of the libsoup users there seem to handle SSL certificate trust correctly (or at all) in my eyes.
In version 2.28 these are.
Groupwise protocol handling (server/groupwise/e-gw-connection.c)
Exchange protocol handling (server/exchange/lib/e2k-context.c)
Google (servers/google/libgdata-google/gdata-google-service.c)
calendar/backends/http/e-cal-backend-http.c
calendar/backends/caldav/e-cal-backend-caldav.c
I do not fully understand the correct solution to this yet though, whether we need
to pass in additional flags, or evaluate the "trusted" flag after the connect.
https://bugzilla.novell.com/show_bug.cgi?id=760517
Ciao, Marcus
Current thread:
- CVE Request: evolution-data-server lacks SSL checking in its libsoup users Marcus Meissner (May 03)
- Re: CVE Request: evolution-data-server lacks SSL checking in its libsoup users Marcus Meissner (May 04)
- Re: CVE Request: evolution-data-server lacks SSL checking in its libsoup users Steve Beattie (May 04)
- Re: CVE Request: evolution-data-server lacks SSL checking in its libsoup users Kurt Seifried (May 04)
- Re: CVE Request: evolution-data-server lacks SSL checking in its libsoup users Marcus Meissner (May 04)
- Re: CVE Request: evolution-data-server lacks SSL checking in its libsoup users Kurt Seifried (May 05)
- Re: CVE Request: evolution-data-server lacks SSL checking in its libsoup users Steve Beattie (May 04)
- Re: CVE Request: evolution-data-server lacks SSL checking in its libsoup users Marcus Meissner (May 04)