Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 17 Mar 2015 14:34:17 -0500
From: Michael Catanzaro <mcatanzaro@...lia.com>
To: oss-security@...ts.openwall.com
Cc: clopez@...lia.com
Subject: CVE Request: WebKitGTK+ late TLS certificate verification

Hi,

WebKitGTK+ [1] prior to 2.7.92 performed TLS certificate verification
too late, after sending an HTTP request rather than before. The issue
may be corrected for WebKitGTK+ 2.6.5 and WebKitGTK+ 2.4.8 using the
patch at [2]. Applications are affected if they use the WebKit2GTK+ API
with WEBKIT_TLS_ERRORS_POLICY_FAIL. (This policy is the default in
WebKitGTK+ 2.6.2 and later; applications using earlier versions of
WebKitGTK+ must opt-in to certificate verification failures by calling
webkit_web_context_set_tls_errors_policy.) Applications using the
original WebKitGTK+ 1 API are unaffected because they must handle
certificate verification themselves.

Please assign a CVE for this issue.

Thanks,

Michael

[1] http://webkitgtk.org/
[2]
http://trac.webkit.org/changeset/181074/trunk/Source/WebCore/platform/network/soup/ResourceHandleSoup.cpp

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.