Date: Fri, 4 May 2012 10:03:11 +0200 From: Marcus Meissner <meissner@...e.de> To: OSS Security List <oss-security@...ts.openwall.com> Subject: Re: CVE Request: evolution-data-server lacks SSL checking in its libsoup users On Thu, May 03, 2012 at 05:27:02PM +0200, Marcus Meissner wrote: > Hi, > > The libsoup SSL certificate checking problem Ludwig exposed is drawing some > circles. > > I started looking at the libsoup users, first one is evolution-data-server, > > None of the libsoup users there seem to handle SSL certificate trust correctly (or at all) in my eyes. > > In version 2.28 these are. > Groupwise protocol handling (server/groupwise/e-gw-connection.c) > Exchange protocol handling (server/exchange/lib/e2k-context.c) > Google (servers/google/libgdata-google/gdata-google-service.c) > calendar/backends/http/e-cal-backend-http.c > calendar/backends/caldav/e-cal-backend-caldav.c > > I do not fully understand the correct solution to this yet though, whether we need > to pass in additional flags, or evaluate the "trusted" flag after the connect. > > https://bugzilla.novell.com/show_bug.cgi?id=760517 This was already reported: https://bugzilla.gnome.org/show_bug.cgi?id=671537 https://launchpad.net/bugs/933659 (private still) so it might have a CVE already. Ciao, Marcus
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.