Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 522926 (CVE-2014-5444)

Summary: <mail-client/geary-0.6.3: failure to handle certificate errors (CVE-2014-5444)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: minor    
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [noglsa]
Package list:
Runtime testing required: ---
Bug Depends on: 522942, 523106    
Bug Blocks:    

Description Agostino Sarubbo gentoo-dev 2014-09-16 08:56:58 UTC
From ${URL} :

It was reported that when Geary, an email client, received a certificate error, it continued 
connecting without warning the user. This could lead to man-in-the-middle attacks.

This has been fixed in upstream version 0.6.3 (this version is in Fedora 20 testing).


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Julian Ospald 2014-09-16 10:28:35 UTC
+*geary-0.6.3 (16 Sep 2014)
+  16 Sep 2014; Julian Ospald <> +geary-0.6.3.ebuild,
+  +files/geary-0.6.3-cflags.patch:
+  security version bump wrt #522926

go ahead and stabilize
Comment 2 Agostino Sarubbo gentoo-dev 2014-09-16 12:46:49 UTC
Arches, please test and mark stable:
Target keywords : "amd64 x86"
Comment 3 Julian Ospald 2014-09-18 11:13:46 UTC
stabilize geary-0.6.3-r1 now instead
Comment 4 Agostino Sarubbo gentoo-dev 2014-09-18 13:09:19 UTC
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2014-09-18 13:09:32 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 6 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2014-12-28 09:30:51 UTC
GLSA vote: no.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2015-01-11 17:50:44 UTC
CVE-2014-5444 (
  Geary before 0.6.3 does not present the user with a warning when a TLS
  certificate error is detected, which makes it easier for remote attackers to
  conduct man-in-the-middle attacks via a crafted certificate.
Comment 8 Yury German Gentoo Infrastructure gentoo-dev 2015-04-22 21:10:11 UTC
GLSA Vote: No

Maintainer(s), please drop the vulnerable version(s).
Comment 9 Yury German Gentoo Infrastructure gentoo-dev 2015-05-11 15:46:37 UTC
Maintainer(s), Thank you for you for cleanup.