'Re: [oss-security] CVE Request: libsoup 2.32.2 sets ssl trusted flag despite no verification'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE Request: libsoup 2.32.2 sets ssl trusted flag despite no verification
From:       Marc Deslauriers <marc.deslauriers () canonical ! com>
Date:       2012-04-30 23:34:48
Message-ID: 1335828888.2997.17.camel () mdlinux
[Download RAW message or body]

On Tue, 2012-04-24 at 12:04 +0200, Ludwig Nussel wrote:
> Hi,
> 
> libsoup 2.32.2 does not verify certificates at all if an application does
> not explicitly specify a file with trusted root CA's. Since that libsoup
> version relies on the verification failure to clear the trust flag it
> always considers ssl connections as trusted in that case.
> 
> Reference:
> https://bugzilla.novell.com/show_bug.cgi?id=758431
> 

Here is an upstream bug about the issue.

https://bugzilla.gnome.org/show_bug.cgi?id=666280

Marc.

[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic