From ${URL} : Debian bug #783601[1] reported that Gobby - a collaborative text editor - silently accepted expired certificates. The upstream bug report is [2]. The bug is actually in libinfinity and the fix is available on [2]. libinfinity does support certificate pinning and hence contains the ability to disable some checks like trusted issuer and hostname verification. However the catch-all validity check was in the wrong location. Please assign a CVE ID for this. Kind regards and thanks Philipp Kern [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=783601 [2] https://github.com/gobby/gobby/issues/61 [3] https://github.com/gobby/libinfinity/commit/c97f870f5ae13112988d9f8ad464b4f679903706 @maintainer(s): since the package or the affected version has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.
Newer versions with the latest being 0.6.7 available upstream. This also contains the required fix: https://github.com/gobby/libinfinity/releases
Package bumped: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fea44110f288641aa0b4efde33ff2043bbde973e @maintainer, please let us know if we can purge 0.5.4. Thanks.
Removed: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=45daea7d0a798f3b86505928778434e226fcabff