[Pkg-telepathy-maintainers] Bug#706094: telepathy-idle: does not verify TLS certificates properly
Simon McVittie
smcv at debian.org
Wed Apr 24 16:39:59 UTC 2013
On 24/04/13 17:05, Simon McVittie wrote:
> On Wed, 24 Apr 2013 at 16:25:46 +0100, Simon McVittie wrote:
>> telepathy-idle < 0.1.15 does not verify that the server's TLS certificate was
>> issued by a trusted CA, or that it hasn't expired, or that it matches the
>> server's hostname.
>
> Here is a proposed patch for wheezy, either via t-p-u for wheezy r0 or
> security/s-p-u for wheezy r1.
Security team: wheezy is vulnerable to this, and has a somewhat older
upstream version than unstable (so it can't migrate that way). How do
you want us to deal with this? I've re-attached the proposed patch for
wheezy for your reference.
I've requested a CVE ID on oss-security.
I don't have a patch for squeeze, which would require implementing
OpenSSL cert-checking in long-superseded code.
I don't think this is RC, particularly for squeeze: IRC is typically
used without SSL, and the telepathy-idle version in squeeze is a pretty
poor IRC implementation in general. It's telling that this is the one
Telepathy component that has never had a stable-branch...
S
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: 0001-Validate-TLS-certificates-Closes-706094.patch
URL: <http://lists.alioth.debian.org/pipermail/pkg-telepathy-maintainers/attachments/20130424/ac2a6007/attachment.ksh>
More information about the Pkg-telepathy-maintainers
mailing list