Bug#699825: CVE-2013-0240: fails to verify SSL certificates when creating accounts
Simon McVittie
smcv at debian.org
Tue Feb 5 16:45:08 UTC 2013
Package: gnome-online-accounts
Version: 3.4.2-1
Severity: grave
Tags: security pending
Justification: user security hole
I discovered this vulnerability, which was just made public on oss-security:
> it was found that Gnome Online Accounts (GOA)
> did not perform SSL certificate validation, when
> performing Windows Live and Facebook accounts creation.
> A remote attacker could use this flaw to conduct
> man-in-the-middle (MiTM) attacks, possibly leading
> to their ability to obtain sensitive information.
It's fixed in upstream master.
I have a backport to 3.4 on the way (it needs testing though).
3.6 in experimental is also affected. I've asked upstream for a backported
patch for 3.6, we'll see what happens...
S
More information about the pkg-gnome-maintainers
mailing list