Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 550126 (CVE-2015-3886) - <net-libs/libinfinity-0.6.7: does not correctly check certificates for validity
Summary: <net-libs/libinfinity-0.6.7: does not correctly check certificates for validity
Alias: CVE-2015-3886
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
Whiteboard: ~3 [noglsa]
Depends on:
Reported: 2015-05-22 07:15 UTC by Agostino Sarubbo
Modified: 2016-04-04 11:24 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-05-22 07:15:28 UTC
From ${URL} :

Debian bug #783601[1] reported that Gobby - a collaborative text editor
- silently accepted expired certificates. The upstream bug report is
[2]. The bug is actually in libinfinity and the fix is available on [2].

libinfinity does support certificate pinning and hence contains the
ability to disable some checks like trusted issuer and hostname
verification. However the catch-all validity check was in the wrong

Please assign a CVE ID for this.

Kind regards and thanks
Philipp Kern


@maintainer(s): since the package or the affected version has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.
Comment 1 Aaron Bauman (RETIRED) gentoo-dev 2016-03-29 09:21:16 UTC
Newer versions with the latest being 0.6.7 available upstream. This also contains the required fix:
Comment 2 Aaron Bauman (RETIRED) gentoo-dev 2016-04-04 03:54:24 UTC
Package bumped:

@maintainer, please let us know if we can purge 0.5.4.  Thanks.