From ${URL}: Hi, WebKitGTK+ [1] prior to 2.7.92 performed TLS certificate verification too late, after sending an HTTP request rather than before. The issue may be corrected for WebKitGTK+ 2.6.5 and WebKitGTK+ 2.4.8 using the patch at [2]. Applications are affected if they use the WebKit2GTK+ API with WEBKIT_TLS_ERRORS_POLICY_FAIL. (This policy is the default in WebKitGTK+ 2.6.2 and later; applications using earlier versions of WebKitGTK+ must opt-in to certificate verification failures by calling webkit_web_context_set_tls_errors_policy.) Applications using the original WebKitGTK+ 1 API are unaffected because they must handle certificate verification themselves. Please assign a CVE for this issue. Thanks, Michael [1] http://webkitgtk.org/ [2] http://trac.webkit.org/changeset/181074/trunk/Source/WebCore/platform/network/soup/ResourceHandleSoup.cpp
webkit 2.4.9 just got out, possibly fixed there?
(In reply to Joakim Tjernlund from comment #1) > webkit 2.4.9 just got out, possibly fixed there? Seems like it did (from release notes): o Check TLS errors as soon as they are set in the SoupMessage to prevent any data from being sent to the server in case of invalid certificate.
2.4.9 and 2.6.6 in tree have fixes for this according to ChangeLog/NEWS.
This is already fixed in current stable versions in the tree
Added to new GLSA.
This issue was resolved and addressed in GLSA 201612-41 at https://security.gentoo.org/glsa/201612-41 by GLSA coordinator Aaron Bauman (b-man).
Should not have been addressed via GLSA or closed. Errata published. Reopening.
This issue was resolved and addressed in GLSA 201706-15 at https://security.gentoo.org/glsa/201706-15 by GLSA coordinator Thomas Deutschmann (whissi).