oss-sec mailing list archives

[CVE Assignment Notification] CVE-2013-0240 - Gnome Online Accounts (GOA) (previously) failed to verify SSL certificates when creating e.g. Windows Live or Facebook accounts

From: Jan Lieskovsky <jlieskov () redhat com>
Date: Tue, 5 Feb 2013 11:12:59 -0500 (EST)

Hello Steve, vendors,

  it was found that Gnome Online Accounts (GOA)
did not perform SSL certificate validation, when
performing Windows Live and Facebook accounts creation.
A remote attacker could use this flaw to conduct
man-in-the-middle (MiTM) attacks, possibly leading
to their ability to obtain sensitive information.

The CVE identifier of CVE-2013-0240 has been assigned
to this issue.

Relevant upstream patch:
[1] http://git.gnome.org/browse/gnome-online-accounts/commit/?id=edde7c63326242a60a075341d3fea0be0bc4d80e

References:
[2] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-0240

The issue was found (and reported internally to Red Hat bugzilla)
by Simon McVittie.

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

Current thread:

[CVE Assignment Notification] CVE-2013-0240 - Gnome Online Accounts (GOA) (previously) failed to verify SSL certificates when creating e.g. Windows Live or Facebook accounts Jan Lieskovsky (Feb 05)
- Re: [CVE Assignment Notification] CVE-2013-0240 - Gnome Online Accounts (GOA) (previously) failed to verify SSL certificates when creating e.g. Windows Live or Facebook accounts Simon McVittie (Feb 05)