oss-sec mailing list archives
CVE Request: WebKitGTK+ late TLS certificate verification
From: Michael Catanzaro <mcatanzaro () igalia com>
Date: Tue, 17 Mar 2015 14:34:17 -0500
Hi, WebKitGTK+ [1] prior to 2.7.92 performed TLS certificate verification too late, after sending an HTTP request rather than before. The issue may be corrected for WebKitGTK+ 2.6.5 and WebKitGTK+ 2.4.8 using the patch at [2]. Applications are affected if they use the WebKit2GTK+ API with WEBKIT_TLS_ERRORS_POLICY_FAIL. (This policy is the default in WebKitGTK+ 2.6.2 and later; applications using earlier versions of WebKitGTK+ must opt-in to certificate verification failures by calling webkit_web_context_set_tls_errors_policy.) Applications using the original WebKitGTK+ 1 API are unaffected because they must handle certificate verification themselves. Please assign a CVE for this issue. Thanks, Michael [1] http://webkitgtk.org/ [2] http://trac.webkit.org/changeset/181074/trunk/Source/WebCore/platform/network/soup/ResourceHandleSoup.cpp
Current thread:
- CVE Request: WebKitGTK+ late TLS certificate verification Michael Catanzaro (Mar 17)
- Re: CVE Request: WebKitGTK+ late TLS certificate verification cve-assign (Mar 18)