[Pkg-telepathy-maintainers] Bug#706142: pu: telepathy-idle/0.1.11-2+deb7u1

Simon McVittie smcv at debian.org
Thu May 23 10:10:30 UTC 2013

On 22/05/13 22:14, Adam D. Barratt wrote:
> On Sat, 2013-05-11 at 17:58 +0100, Adam D. Barratt wrote:
>> On Thu, 2013-04-25 at 12:47 +0100, Simon McVittie wrote:
>>> The version of telepathy-idle in wheezy does not validate IRC servers'
>>> SSL certificates when used with SSL (#706094, CVE ID requested).
> [...]
>> Please go ahead with an upload for stable.
> Ping?

Cc pkg-telepathy-maintainers: could someone who uses telepathy-idle
regularly please pick this up?

Sorry, I've been holding off on this because the proposed patch is a
regression: users who were relying on the ability to get a
(man-in-the-middle-vulnerable) connection to a SSL IRC server whose
certificate is self-signed or untrusted can no longer do so. I didn't
think many people would fall into this category, but apparently quite a
lot do...

This is fixed in 0.1.16 in unstable, which hooks up the necessary
infrastructure to do a browser-style "does this certificate look OK?"
prompt in Empathy or kde-telepathy. However, that's a significant amount
of code (~ 1k lines).

0.1.16 also has unrelated bugfixes, and an unrelated new feature
(listing chatrooms on servers).

Possible resolutions include:

* upload 0.1.11-2+deb7u1 as-is, and accept the regression
  (Ubuntu did this)

* upload 0.1.16 to wheezy

* backport 0.1.16 to wheezy-backports (which should be trivial),
  and upload 0.1.11-2+deb7u1 with a NEWS file noting the regression
  and suggesting the backport

* backport the certificate bits from 0.1.16 to 0.1.11


More information about the Pkg-telepathy-maintainers mailing list