Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 04 May 2012 10:03:20 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Steve Beattie <steve@...w.org>
Subject: Re: CVE Request: evolution-data-server lacks SSL checking
 in its libsoup users

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/04/2012 02:30 AM, Steve Beattie wrote:
> On Fri, May 04, 2012 at 10:03:11AM +0200, Marcus Meissner wrote:
>> This was already reported: 
>> https://bugzilla.gnome.org/show_bug.cgi?id=671537 
>> https://launchpad.net/bugs/933659   (private still)
>> 
>> so it might have a CVE already.
> 
> I've made the launchpad bug public now. There was no CVE assigned 
> in that report.
> 
> Thanks.
> 

Shouldn't these all be covered by the libsoup CVE:

> libsoup 2.32.2 does not verify certificates at all if an 
> application does not explicitly specify a file with trusted root 
> CA's. Since that libsoup version relies on the verification
> failure to clear the trust flag it always considers ssl connections
> as trusted in that case.
> 
> Reference: https://bugzilla.novell.com/show_bug.cgi?id=758431
> 
> cu Ludwig
> 
Please use CVE-2012-2132 for this issue.



- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPo/3IAAoJEBYNRVNeJnmTtPkQAKI4X13+7i3fStpzFpHamaUi
5/xgP6q+2ln/XVk11v4M6hN0VTr2gITPFk51x+MVnm+i9uBd8s5EtovrueA+eE8t
bISTs6WSDDFrpOlR3nW1DN65bW9WT75dp1c4ehWZJXDtlOIeYAjKh+Avc0lxLLVM
KeIaTv5nFHGaTth6ajreuW3esDYXAZ/mTlEfdyiUq2+6JtqE8TVl4sXRN0GOl7Ra
wlBE8M28C3p8aqyeY5Esxq3chLNFF7WFaMkOkgNv5okpFrJ+QQ/8lT1nOf4pPgm8
ndDk69ICcNkfFerBxNY58Qb8BLD022qJOAaYsbAfty1//gLXtUjqf5Zq/c2o3DJ4
EaClDiLPAjwbc6T5JlDyatTdwLNlFDdziJTk3f0TU9Qffx7adbeCyPIA42GCnQp5
pS+xsAIayCW3S7cAT/quy4F7dOppSWJ9qT4wJjCvIvQejnOS4qmQNL7GLac4REgU
wMYYW6DKGWb0zOW0WTP58IC+Ros3nK+YiHyyg8tpG9SvtGC7L8CE532Y1eXwZT9/
WccuEL3gQ9zOl3Y9EmTkj/770+msIRyjRQmuKpGwk/oUuKANlIfy4LwdSgD/PiGG
3jlIZjdNOic6OM0N3TKbvDuKp+tBy41lYig1e4AGSpPeX5oFF380MERWw+GZFx2+
dyiNsiZOsrcJTOYCKAMd
=WbnO
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ