Processed: Re: Bug#672880: CVE-2012-2132: does not indicate whether or not an SSL certificate is valid

[Yves-Alexis Perez]

Control: forcemerge 607497 -1
thanks

On mar., 2012-10-09 at 21:36 +0000, Debian Bug Tracking System wrote:
> Processing commands for control at bugs.debian.org:
> 
> > reassign 672880 midori
> Bug #672880 [libsoup2.4-1] CVE-2012-2132: does not indicate whether or not an SSL certificate is valid
> Bug reassigned from package 'libsoup2.4-1' to 'midori'.
> No longer marked as found in versions libsoup2.4/2.30.2-1+squeeze1.
> Ignoring request to alter fixed versions of bug #672880 to the same values previously set
> > severity 672880 normal
> Bug #672880 [midori] CVE-2012-2132: does not indicate whether or not an SSL certificate is valid
> Severity set to 'normal' from 'important'
> > thanks
> Stopping processing here.
> 
> Please contact me if you need assistance.

(when reassigning, please provide a bit of context…)

Actually the same kind of question was already raised (see #607497) and
already assigned a CVE (CVE-2010-3900).

Henri, did you actually check? Because, here, loading an https website
with a CA not recognized correctly turns the url bar to red. 

The version in git is a bit more aggressive, it won't even load the
website if it can't validate the certificate. It's a bit rude against
people using self-signed certificates (which are a perfectly valid
usage) but there's not much options right now.

Obviously, it's not targeted to Wheezy (nor for sid either, for that
matters, because of ftp-masters position on waf)

Regards,
-- 
Yves-Alexis
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnome-maintainers/attachments/20121010/f1047dfb/attachment.pgp>