Date: Thu, 3 May 2012 17:27:02 +0200 From: Marcus Meissner <meissner@...e.de> To: OSS Security List <oss-security@...ts.openwall.com> Subject: CVE Request: evolution-data-server lacks SSL checking in its libsoup users Hi, The libsoup SSL certificate checking problem Ludwig exposed is drawing some circles. I started looking at the libsoup users, first one is evolution-data-server, None of the libsoup users there seem to handle SSL certificate trust correctly (or at all) in my eyes. In version 2.28 these are. Groupwise protocol handling (server/groupwise/e-gw-connection.c) Exchange protocol handling (server/exchange/lib/e2k-context.c) Google (servers/google/libgdata-google/gdata-google-service.c) calendar/backends/http/e-cal-backend-http.c calendar/backends/caldav/e-cal-backend-caldav.c I do not fully understand the correct solution to this yet though, whether we need to pass in additional flags, or evaluate the "trusted" flag after the connect. https://bugzilla.novell.com/show_bug.cgi?id=760517 Ciao, Marcus
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.