oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE Request: WebKitGTK+ late TLS certificate verification

From: Michael Catanzaro <mcatanzaro () igalia com>
Date: Tue, 17 Mar 2015 14:34:17 -0500
Hi,

WebKitGTK+ [1] prior to 2.7.92 performed TLS certificate verification
too late, after sending an HTTP request rather than before. The issue
may be corrected for WebKitGTK+ 2.6.5 and WebKitGTK+ 2.4.8 using the
patch at [2]. Applications are affected if they use the WebKit2GTK+ API
with WEBKIT_TLS_ERRORS_POLICY_FAIL. (This policy is the default in
WebKitGTK+ 2.6.2 and later; applications using earlier versions of
WebKitGTK+ must opt-in to certificate verification failures by calling
webkit_web_context_set_tls_errors_policy.) Applications using the
original WebKitGTK+ 1 API are unaffected because they must handle
certificate verification themselves.

Please assign a CVE for this issue.

Thanks,

Michael

[1] http://webkitgtk.org/
[2]
http://trac.webkit.org/changeset/181074/trunk/Source/WebCore/platform/network/soup/ResourceHandleSoup.cpp
Previous By Date Next
Previous By Thread Next

Current thread: