Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20120504080311.GF16166@suse.de>
Date: Fri, 4 May 2012 10:03:11 +0200
From: Marcus Meissner <meissner@...e.de>
To: OSS Security List <oss-security@...ts.openwall.com>
Subject: Re: CVE Request: evolution-data-server lacks SSL checking in its libsoup users

On Thu, May 03, 2012 at 05:27:02PM +0200, Marcus Meissner wrote:
> Hi,
> 
> The libsoup SSL certificate checking problem Ludwig exposed is drawing some
> circles.
> 
> I started looking at the libsoup users, first one is evolution-data-server,
> 
> None of the libsoup users there seem to handle SSL certificate trust correctly (or at all) in my eyes.
> 
> In version 2.28 these are.
> 	Groupwise protocol handling (server/groupwise/e-gw-connection.c)
> 	Exchange protocol handling (server/exchange/lib/e2k-context.c)
> 	Google (servers/google/libgdata-google/gdata-google-service.c)
> 	calendar/backends/http/e-cal-backend-http.c
> 	calendar/backends/caldav/e-cal-backend-caldav.c
> 
> I do not fully understand the correct solution to this yet though, whether we need
> to pass in additional flags, or evaluate the "trusted" flag after the connect.
> 
> https://bugzilla.novell.com/show_bug.cgi?id=760517

This was already reported:
	https://bugzilla.gnome.org/show_bug.cgi?id=671537
	https://launchpad.net/bugs/933659   (private still)

so it might have a CVE already.

Ciao, Marcus

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.