From $URL : Description Simon McVittie has reported a security issue in GNOME Online Accounts, which can be exploited by malicious people to conduct spoofing attacks. The security issue is caused due to the application not properly verifying a server SSL certificate, which can be exploited to e.g. spoof a server via MitM (Man-in-the-Middle) attacks. The security issue is reported in version 3.4.2 and versions 3.7.x prior to 3.7.5. Other versions may also be affected. Solution Apply updates if available. Further details available to Secunia VIM customers Provided and/or discovered by Simon McVittie Original Advisory Gnome Online Accounts: http://git.gnome.org/browse/gnome-online-accounts/tree/NEWS http://git.gnome.org/browse/gnome-online-accounts/commit/?id=edde7c63326242a60a075341d3fea0be0bc4d80e Simon McVittie: http://seclists.org/oss-sec/2013/q1/239 https://bugzilla.gnome.org/show_bug.cgi?id=693214
Created attachment 338286 [details, diff] backported patch for 3.6.2 @gnome team members, please check whether this patch really works. It compiles, but I have a hard time telling whether it breaks some gnome-online-accounts functionality, or whether gnome-online-accounts-3.6.2 is by nature not reliable with google.
Comment on attachment 338286 [details, diff] backported patch for 3.6.2 Unfortunately, the patch is not suitable after all: it definitely causes google integration in evolution-3.6 to fail.
According to changelog of 3.6.3: * Bugs fixed: 693214 Guard against invalid SSL certificates (CVE-2013-0240) 695106 Do not send the credentials before notifying the user of an invalid SSL certificate (CVE-2013-1799) Now in tree.
CVE-2013-1799: Summary: Gnome Online Accounts (GOA) 3.6.x before 3.6.3 and 3.7.x before 3.7.91, does not properly validate SSL certificates when creating accounts for providers who use the libsoup library, which allows man-in-the-middle attackers to obtain sensitive information such as credentials by sniffing the network. NOTE: this issue exists because of an incomplete fix for CVE-2013-0240. Please punt vulnerable version.
Vulnerable versions punted. *gnome-online-accounts-3.8.1 (20 Apr 2013) 20 Apr 2013; Pacho Ramos <pacho@gentoo.org> +gnome-online-accounts-3.8.1.ebuild, -gnome-online-accounts-3.6.2.ebuild: Version bump, drop old thanks.
