Summary: | <dev-libs/libgdata-{0.8.1-r2,0.10.2}: Does not validate SSL certificates allowing for MITM (CVE-2012-1177) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Michael Harrison <n0idx80> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | gnome |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugs.launchpad.net/ubuntu/+source/libgdata/+bug/938812 | ||
Whiteboard: | A3 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Michael Harrison
2012-03-15 00:18:08 UTC
Thanks for reporting, fixed in 0.8.1-r2 and 0.10.2. Note that libgdata-0.8.1-r2 should be stabilized, but *not* libgdata-0.10.2 for now (the 0.10.x series has API changes that break evolution-data-server-2.x). >*libgdata-0.10.2 (15 Mar 2012) >*libgdata-0.8.1-r2 (15 Mar 2012) > > 15 Mar 2012; Alexandre Rostovtsev <tetromino@gentoo.org> > -libgdata-0.8.0.ebuild, +libgdata-0.8.1-r2.ebuild, > +files/libgdata-0.8.1-validate-ssl.patch, -libgdata-0.10.0.ebuild, > +libgdata-0.10.2.ebuild: > Validate SSL certificates to prevent MITM attack (bug #408245, CVE-2012-1177, > thanks to Michael Harrison for reporting). Drop old. (In reply to comment #1) > Thanks for reporting, fixed in 0.8.1-r2 and 0.10.2. > Great, thank you. Arches, please test and mark stable: =dev-libs/libgdata-0.8.1-r2 Target keywords : "alpha amd64 arm ia64 ppc ppc64 sparc x86" amd64 stable ppc64 done arm stable x86 stable alpha/ia64/sparc stable ppc done Thanks, everyone. Creating GLSA draft. This issue was resolved and addressed in GLSA 201208-06 at http://security.gentoo.org/glsa/glsa-201208-06.xml by GLSA coordinator Sean Amoss (ackle). CVE-2012-1177 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1177): libgdata before 0.10.2 and 0.11.x before 0.11.1 does not validate SSL certificates, which allows remote attackers to obtain user names and passwords via a man-in-the-middle (MITM) attack with a spoofed certificate. |