From ${URL} : It was reported [1],[2] that telepathy-idle, an IRC backend for the Telepathy framework, did not check the server's SSL/TLS certificate for validity [3]. This could allow an attacker to carry out man-in-the-middle attacks. This flaw has existed in the source since 2007, and versions 0.1.11 through to 0.1.14 use GLib for TLS, so they did very basic checks on certificates, but did not check that the certificate issuer was a trusted CA, that the identity matched the server's hostname, or that the certificate had not expired. The forthcoming 0.1.15 release will fix this flaw; a patch is attached to the upstream bug [4]. [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=706094 [2] http://www.openwall.com/lists/oss-security/2013/04/24/5 [3] https://bugs.freedesktop.org/show_bug.cgi?id=63810 [4] https://bugs.freedesktop.org/attachment.cgi?id=78341 @maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not
0.1.15 is already in the tree, feel free to stabilize it
(In reply to comment #1) > 0.1.15 is already in the tree, feel free to stabilize it 0.1.16 is a better candidate as fixes a regression previous fix of security bug had
amd64 stable
x86 stable
ppc stable
arm stable
alpha stable
ia64 stable
sparc stable
GLSA vote: no. @maintainers: please clean up affected versions.
CVE-2007-6746 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6746): telepathy-idle before 0.1.15 does not verify (1) that the issuer is a trusted CA, (2) that the server hostname matches a domain name in the subject's Common Name (CN), or (3) the expiration date of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
NO too.
+ 29 Aug 2013; Pacho Ramos <pacho@gentoo.org> -telepathy-idle-0.1.14.ebuild, + -telepathy-idle-0.1.15.ebuild: + Drop old +