Date: Tue, 17 Mar 2015 14:34:17 -0500 From: Michael Catanzaro <mcatanzaro@...lia.com> To: oss-security@...ts.openwall.com Cc: clopez@...lia.com Subject: CVE Request: WebKitGTK+ late TLS certificate verification Hi, WebKitGTK+  prior to 2.7.92 performed TLS certificate verification too late, after sending an HTTP request rather than before. The issue may be corrected for WebKitGTK+ 2.6.5 and WebKitGTK+ 2.4.8 using the patch at . Applications are affected if they use the WebKit2GTK+ API with WEBKIT_TLS_ERRORS_POLICY_FAIL. (This policy is the default in WebKitGTK+ 2.6.2 and later; applications using earlier versions of WebKitGTK+ must opt-in to certificate verification failures by calling webkit_web_context_set_tls_errors_policy.) Applications using the original WebKitGTK+ 1 API are unaffected because they must handle certificate verification themselves. Please assign a CVE for this issue. Thanks, Michael  http://webkitgtk.org/  http://trac.webkit.org/changeset/181074/trunk/Source/WebCore/platform/network/soup/ResourceHandleSoup.cpp
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.