Summary: | <net-libs/webkit-gtk-2.7.92: WebKitGTK+ late TLS certificate verification (CVE-2015-2330) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Kristian Fiskerstrand (RETIRED) <k_f> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | ||
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://seclists.org/oss-sec/2015/q1/871 | ||
Whiteboard: | A4 [glsa cve] | ||
Package list: | Runtime testing required: | --- |
Description
Kristian Fiskerstrand (RETIRED)
2015-03-17 21:54:13 UTC
webkit 2.4.9 just got out, possibly fixed there? (In reply to Joakim Tjernlund from comment #1) > webkit 2.4.9 just got out, possibly fixed there? Seems like it did (from release notes): o Check TLS errors as soon as they are set in the SoupMessage to prevent any data from being sent to the server in case of invalid certificate. 2.4.9 and 2.6.6 in tree have fixes for this according to ChangeLog/NEWS. This is already fixed in current stable versions in the tree Added to new GLSA. This issue was resolved and addressed in GLSA 201612-41 at https://security.gentoo.org/glsa/201612-41 by GLSA coordinator Aaron Bauman (b-man). Should not have been addressed via GLSA or closed. Errata published. Reopening. This issue was resolved and addressed in GLSA 201706-15 at https://security.gentoo.org/glsa/201706-15 by GLSA coordinator Thomas Deutschmann (whissi). |