Summary: | <net-irc/telepathy-idle-0.1.16 : does not properly validate SSL certificates (CVE-2007-6746) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | gnome, net-im |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugzilla.redhat.com/show_bug.cgi?id=956334 | ||
Whiteboard: | B4 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2013-04-29 22:21:21 UTC
0.1.15 is already in the tree, feel free to stabilize it (In reply to comment #1) > 0.1.15 is already in the tree, feel free to stabilize it 0.1.16 is a better candidate as fixes a regression previous fix of security bug had amd64 stable x86 stable ppc stable arm stable alpha stable ia64 stable sparc stable GLSA vote: no. @maintainers: please clean up affected versions. CVE-2007-6746 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6746): telepathy-idle before 0.1.15 does not verify (1) that the issuer is a trusted CA, (2) that the server hostname matches a domain name in the subject's Common Name (CN), or (3) the expiration date of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. NO too. + 29 Aug 2013; Pacho Ramos <pacho@gentoo.org> -telepathy-idle-0.1.14.ebuild, + -telepathy-idle-0.1.15.ebuild: + Drop old + |