Bug#702976: CVE-2010-3312
Sébastien Villemot
sebastien at debian.org
Wed Mar 13 22:10:41 UTC 2013
Le mercredi 13 mars 2013 à 15:59 -0600, Vincent Danen a écrit :
> * [2013-03-13 22:12:25 +0100] S?bastien Villemot wrote:
>
> >Le mercredi 13 mars 2013 à 11:58 -0600, Vincent Danen a écrit :
> >> This issue was given the name CVE-2010-3312 quite a while ago. See
> >> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-3312 for more info.
> >
> >I don???t think this is the same issue. The problem reported here is
> >specifically about redirections, while CVE-2010-3312 (#564690 in Debian)
> >was about *never* verifying SSL certs (and is now fixed).
>
> Well, the issue in our bugzilla is still not fixed in the latest Fedora
> version and since the bug is about epiphany not validating certificates
> in general. Are you sure it's fixed? If it's fixed in Debian but not
> upstream, then this should probably be classified as a separate issue
> (but from where I sit, we have 3.6.1 in Fedora 18 and it doesn't seem to
> do anything right with regards to SSL certificates).
In Debian, with version 3.4.2, visiting a site with an invalid SSL
certificate leads to the display of a broken-lock icon in the right
hand-side of the address bar. This was considered as sufficient for
Debian, see bug #603594 for more details on this.
OTOH, when I visit the URL reported by the submitter, I get the (normal)
lock icon, i.e. epiphany considers that the site is secure (even though
the certificate common name does not match the hostname typed by the
user).
--
.''`. Sébastien Villemot
: :' : Debian Developer
`. `' http://www.dynare.org/sebastien
`- GPG Key: 4096R/381A7594
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnome-maintainers/attachments/20130313/4eae41be/attachment.pgp>
More information about the pkg-gnome-maintainers
mailing list