Debian Bug report logs -
#672880
CVE-2012-2132: does not indicate whether or not an SSL certificate is valid
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>
:
Bug#672880
; Package libsoup2.4-1
.
(Mon, 14 May 2012 12:39:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Henri Salo <henri@nerv.fi>
:
New Bug report received and forwarded. Copy sent to Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>
.
(Mon, 14 May 2012 12:39:11 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: libsoup2.4-1
Version: 2.30.2-1+squeeze1
Severity: important
Tags: security
References:
https://bugzilla.novell.com/show_bug.cgi?id=758431
https://bugzilla.redhat.com/show_bug.cgi?id=817692
This needs verification. Please ask if you need my help.
-- System Information:
Debian Release: 6.0.5
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-5-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages libsoup2.4-1 depends on:
ii libc6 2.11.3-3 Embedded GNU C Library: Shared lib
ii libgcrypt11 1.4.5-2 LGPL Crypto library - runtime libr
ii libglib2.0-0 2.24.2-1 The GLib library of C routines
ii libgnutls26 2.8.6-1+squeeze2 the GNU TLS library - runtime libr
ii libxml2 2.7.8.dfsg-2+squeeze3 GNOME XML library
ii zlib1g 1:1.2.3.4.dfsg-3 compression library - runtime
libsoup2.4-1 recommends no packages.
libsoup2.4-1 suggests no packages.
-- no debconf information
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>
:
Bug#672880
; Package libsoup2.4-1
.
(Thu, 06 Sep 2012 16:09:09 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>
:
Extra info received and forwarded to list. Copy sent to Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>
.
(Thu, 06 Sep 2012 16:09:09 GMT) (full text, mbox, link).
Message #10 received at 672880@bugs.debian.org (full text, mbox, reply):
On Mon, May 14, 2012 at 03:29:05PM +0300, Henri Salo wrote:
> Package: libsoup2.4-1
> Version: 2.30.2-1+squeeze1
> Severity: important
> Tags: security
>
> References:
> https://bugzilla.novell.com/show_bug.cgi?id=758431
> https://bugzilla.redhat.com/show_bug.cgi?id=817692
>
> This needs verification. Please ask if you need my help.
What's the status?
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>
:
Bug#672880
; Package libsoup2.4-1
.
(Fri, 07 Sep 2012 04:45:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Henri Salo <henri@nerv.fi>
:
Extra info received and forwarded to list. Copy sent to Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>
.
(Fri, 07 Sep 2012 04:45:08 GMT) (full text, mbox, link).
Message #15 received at 672880@bugs.debian.org (full text, mbox, reply):
No replies from package maintainer. Red Hat bugzilla has several patches:
patch against libsoup 2.32 for bug #817692: https://bugzilla.redhat.com/attachment.cgi?id=581443&action=diff
patch against libsoup 2.34 (F15) for bug #817692 https://bugzilla.redhat.com/attachment.cgi?id=581614&action=diff
Please list tasks for me if there is something I should do to get this issue fixed and closed.
- Henri Salo
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>
:
Bug#672880
; Package libsoup2.4-1
.
(Fri, 07 Sep 2012 11:51:03 GMT) (full text, mbox, link).
Acknowledgement sent
to 672880@bugs.debian.org
:
Extra info received and forwarded to list. Copy sent to Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>
.
(Fri, 07 Sep 2012 11:51:03 GMT) (full text, mbox, link).
Message #20 received at 672880@bugs.debian.org (full text, mbox, reply):
Le jeudi 06 septembre 2012 à 18:05 +0200, Moritz Muehlenhoff a écrit :
> On Mon, May 14, 2012 at 03:29:05PM +0300, Henri Salo wrote:
> > Package: libsoup2.4-1
> > Version: 2.30.2-1+squeeze1
> > Severity: important
> > Tags: security
> >
> > References:
> > https://bugzilla.novell.com/show_bug.cgi?id=758431
> > https://bugzilla.redhat.com/show_bug.cgi?id=817692
> >
> > This needs verification. Please ask if you need my help.
>
> What's the status?
Epiphany in squeeze is not affected. It displays correctly the validity
status of a certificate, using the root authority in ca-certificates.
From the comments in the upstream report, Midori might be affected
though.
--
.''`. Josselin Mouette
: :' :
`. `'
`-
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>
:
Bug#672880
; Package libsoup2.4-1
.
(Sat, 08 Sep 2012 10:39:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Henri Salo <henri@nerv.fi>
:
Extra info received and forwarded to list. Copy sent to Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>
.
(Sat, 08 Sep 2012 10:39:03 GMT) (full text, mbox, link).
Message #25 received at 672880@bugs.debian.org (full text, mbox, reply):
I think Midori is indeed affected as I went to site, which used self-signed HTTPS sertificate and Midori didn't say anything about it. If I am correct this needs new bug-report and update to security tracker. Please note a comment from bugzilla.redhat.com:
"""Dan Winship 2012-05-01 10:45:08 EDT
The CVE is wrong. The bug is in Midori. It is telling libsoup to trust all SSL certificates, and so then libsoup reports that all SSL certificates are trusted, just like Midori asked.
To the extent that this is libsoup's fault, it's because it supports the feature Midori is trying to implement here, but doesn't document how to do it correctly. But it is *possible* to do it correctly, as seen in epiphany.
The SUSE patch is just wrong, as I'm sure they will notice shortly... (eg, it will completely break https in evolution)."""
I tested using midori 0.2.4-3 (squeeze).
- Henri Salo
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>
:
Bug#672880
; Package libsoup2.4-1
.
(Tue, 09 Oct 2012 21:36:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>
:
Extra info received and forwarded to list. Copy sent to Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>
.
(Tue, 09 Oct 2012 21:36:04 GMT) (full text, mbox, link).
Message #30 received at 672880@bugs.debian.org (full text, mbox, reply):
reassign 672880 midori
severity 672880 normal
thanks
On Fri, Sep 07, 2012 at 01:47:54PM +0200, Josselin Mouette wrote:
> Le jeudi 06 septembre 2012 à 18:05 +0200, Moritz Muehlenhoff a écrit :
> > On Mon, May 14, 2012 at 03:29:05PM +0300, Henri Salo wrote:
> > > Package: libsoup2.4-1
> > > Version: 2.30.2-1+squeeze1
> > > Severity: important
> > > Tags: security
> > >
> > > References:
> > > https://bugzilla.novell.com/show_bug.cgi?id=758431
> > > https://bugzilla.redhat.com/show_bug.cgi?id=817692
> > >
> > > This needs verification. Please ask if you need my help.
> >
> > What's the status?
>
> Epiphany in squeeze is not affected. It displays correctly the validity
> status of a certificate, using the root authority in ca-certificates.
>
> From the comments in the upstream report, Midori might be affected
> though.
I agree this is rather a bug in Midori than in libsoup. Reassigning.
I'm lowering the severity since Midori isn't covered by security support
anyway (being webkit-based).
Cheers,
Moritz
Bug reassigned from package 'libsoup2.4-1' to 'midori'.
Request was from Moritz Muehlenhoff <jmm@inutil.org>
to control@bugs.debian.org
.
(Tue, 09 Oct 2012 21:36:10 GMT) (full text, mbox, link).
No longer marked as found in versions libsoup2.4/2.30.2-1+squeeze1.
Request was from Moritz Muehlenhoff <jmm@inutil.org>
to control@bugs.debian.org
.
(Tue, 09 Oct 2012 21:36:11 GMT) (full text, mbox, link).
Severity set to 'normal' from 'important'
Request was from Moritz Muehlenhoff <jmm@inutil.org>
to control@bugs.debian.org
.
(Tue, 09 Oct 2012 21:36:12 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Ryan Niebur <ryan@debian.org>
:
Bug#672880
; Package midori
.
(Wed, 10 Oct 2012 06:15:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Yves-Alexis Perez <corsac@debian.org>
:
Extra info received and forwarded to list. Copy sent to Ryan Niebur <ryan@debian.org>
.
(Wed, 10 Oct 2012 06:15:03 GMT) (full text, mbox, link).
Message #41 received at 672880@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Control: forcemerge 607497 -1
thanks
On mar., 2012-10-09 at 21:36 +0000, Debian Bug Tracking System wrote:
> Processing commands for control@bugs.debian.org:
>
> > reassign 672880 midori
> Bug #672880 [libsoup2.4-1] CVE-2012-2132: does not indicate whether or not an SSL certificate is valid
> Bug reassigned from package 'libsoup2.4-1' to 'midori'.
> No longer marked as found in versions libsoup2.4/2.30.2-1+squeeze1.
> Ignoring request to alter fixed versions of bug #672880 to the same values previously set
> > severity 672880 normal
> Bug #672880 [midori] CVE-2012-2132: does not indicate whether or not an SSL certificate is valid
> Severity set to 'normal' from 'important'
> > thanks
> Stopping processing here.
>
> Please contact me if you need assistance.
(when reassigning, please provide a bit of context…)
Actually the same kind of question was already raised (see #607497) and
already assigned a CVE (CVE-2010-3900).
Henri, did you actually check? Because, here, loading an https website
with a CA not recognized correctly turns the url bar to red.
The version in git is a bit more aggressive, it won't even load the
website if it can't validate the certificate. It's a bit rude against
people using self-signed certificates (which are a perfectly valid
usage) but there's not much options right now.
Obviously, it's not targeted to Wheezy (nor for sid either, for that
matters, because of ftp-masters position on waf)
Regards,
--
Yves-Alexis
[signature.asc (application/pgp-signature, inline)]
Severity set to 'important' from 'normal'
Request was from Yves-Alexis Perez <corsac@debian.org>
to 672880-submit@bugs.debian.org
.
(Wed, 10 Oct 2012 06:15:03 GMT) (full text, mbox, link).
Marked as fixed in versions midori/0.2.7-1.1.
Request was from Yves-Alexis Perez <corsac@debian.org>
to 672880-submit@bugs.debian.org
.
(Wed, 10 Oct 2012 06:15:04 GMT) (full text, mbox, link).
Marked as found in versions midori/0.2.7-1.1.
Request was from Yves-Alexis Perez <corsac@debian.org>
to 672880-submit@bugs.debian.org
.
(Wed, 10 Oct 2012 06:15:04 GMT) (full text, mbox, link).
Added tag(s) squeeze and fixed-upstream.
Request was from Yves-Alexis Perez <corsac@debian.org>
to 672880-submit@bugs.debian.org
.
(Wed, 10 Oct 2012 06:15:05 GMT) (full text, mbox, link).
Merged 607497 672880
Request was from Yves-Alexis Perez <corsac@debian.org>
to 672880-submit@bugs.debian.org
.
(Wed, 10 Oct 2012 06:15:05 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Ryan Niebur <ryan@debian.org>
:
Bug#672880
; Package midori
.
(Wed, 10 Oct 2012 06:24:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Henri Salo <henri@nerv.fi>
:
Extra info received and forwarded to list. Copy sent to Ryan Niebur <ryan@debian.org>
.
(Wed, 10 Oct 2012 06:24:08 GMT) (full text, mbox, link).
Message #58 received at 672880@bugs.debian.org (full text, mbox, reply):
On Wed, Oct 10, 2012 at 08:13:15AM +0200, Yves-Alexis Perez wrote:
> Henri, did you actually check? Because, here, loading an https website
> with a CA not recognized correctly turns the url bar to red.
Yes I tested Midori package in squeeze: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=672880#25
I can test other packages as well if needed.
- Henri Salo
Information forwarded
to debian-bugs-dist@lists.debian.org, Ryan Niebur <ryan@debian.org>
:
Bug#672880
; Package midori
.
(Wed, 10 Oct 2012 14:21:26 GMT) (full text, mbox, link).
Acknowledgement sent
to Yves-Alexis Perez <corsac@debian.org>
:
Extra info received and forwarded to list. Copy sent to Ryan Niebur <ryan@debian.org>
.
(Wed, 10 Oct 2012 14:21:27 GMT) (full text, mbox, link).
Message #63 received at 672880@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On mer., 2012-10-10 at 09:23 +0300, Henri Salo wrote:
> On Wed, Oct 10, 2012 at 08:13:15AM +0200, Yves-Alexis Perez wrote:
> > Henri, did you actually check? Because, here, loading an https website
> > with a CA not recognized correctly turns the url bar to red.
>
> Yes I tested Midori package in squeeze: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=672880#25
>
Well, in Squeeze, the same thing applies than for CVE-2010-3900.
--
Yves-Alexis
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Ryan Niebur <ryan@debian.org>
:
Bug#672880
; Package midori
.
(Wed, 10 Oct 2012 14:51:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Yves-Alexis Perez <corsac@debian.org>
:
Extra info received and forwarded to list. Copy sent to Ryan Niebur <ryan@debian.org>
.
(Wed, 10 Oct 2012 14:51:07 GMT) (full text, mbox, link).
Message #68 received at 672880@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On mer., 2012-10-10 at 17:28 +0300, Henri Salo wrote:
> On Wed, Oct 10, 2012 at 04:20:34PM +0200, Yves-Alexis Perez wrote:
> > On mer., 2012-10-10 at 09:23 +0300, Henri Salo wrote:
> > > On Wed, Oct 10, 2012 at 08:13:15AM +0200, Yves-Alexis Perez wrote:
> > > > Henri, did you actually check? Because, here, loading an https website
> > > > with a CA not recognized correctly turns the url bar to red.
> > >
> > > Yes I tested Midori package in squeeze: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=672880#25
> > >
> >
> > Well, in Squeeze, the same thing applies than for CVE-2010-3900.
> > --
> > Yves-Alexis
>
> Hello,
>
> Sorry I am not sure I get your point in here. So you are saying that
> there is duplicate CVE assigned? Do you want me to ask the newer CVE to
> be rejected?
I'm unsure, but as far as I understand it, it's not the same code
involved. CVE-2010-3900 is fixed in recent midori, while CVE-2012-2132
is not.
For Debian, Squeeze is vulnerable to CVE-2010-3900 but I'm not sure it's
vulnerable to CVE-2012-2132 since it's not the same mechanism used, or
something.
For Sid, CVE-2010-3900 is fixed, CVE-2012-2132 is not and won't be as
long as the waf situation is not solved, one way or another.
Regards,
--
Yves-Alexis
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, hramrach@gmail.com, Ryan Niebur <ryan@debian.org>
:
Bug#672880
; Package midori
.
(Fri, 14 Dec 2012 17:21:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Michal Suchanek <michal.suchanek@ruk.cuni.cz>
:
Extra info received and forwarded to list. Copy sent to hramrach@gmail.com, Ryan Niebur <ryan@debian.org>
.
(Fri, 14 Dec 2012 17:21:04 GMT) (full text, mbox, link).
Message #73 received at 672880@bugs.debian.org (full text, mbox, reply):
Package: midori
Version: 0.4.3-1
Followup-For: Bug #672880
Hello,
how come this bug is not marked grave as per 'introduces a security hole
allowing access to the accounts of users who use the package' ?
It is nice to have choice of software in Debian but when the software
has security hole then it should be
a) fixed
b) removed from the archive
Especially sice we are nearing a realease and there is not fix in sight
b) is applicable.
Thanks
Michal
No longer marked as fixed in versions midori/0.2.7-1.1.
Request was from Thijs Kinkhorst <thijs@debian.org>
to control@bugs.debian.org
.
(Fri, 04 Oct 2013 13:45:10 GMT) (full text, mbox, link).
Marked as fixed in versions midori/0.2.7-1.1.
Request was from Thijs Kinkhorst <thijs@debian.org>
to control@bugs.debian.org
.
(Fri, 04 Oct 2013 13:51:13 GMT) (full text, mbox, link).
No longer marked as fixed in versions midori/0.2.7-1.1.
Request was from Andreas Beckmann <anbe@debian.org>
to control@bugs.debian.org
.
(Sun, 24 Nov 2013 20:39:34 GMT) (full text, mbox, link).
Message #80 received at 607497-done@bugs.debian.org (full text, mbox, reply):
Dear submitter,
these bug are tagged squeeze without any wheezy/jessie/stretch tag
implying that the bug is not present in more recent Debian releases.
squeeze is no longer supported.
We are sorry that we couldn't deal with your issue in squeeze.
If this bug was incorrectly tagged squeeze, please reopen the bug
and remove the squeeze tag.
cu
Adrian
--
"Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
"Only a promise," Lao Er said.
Pearl S. Buck - Dragon Seed
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Tue, 28 Mar 2017 07:41:38 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:21:08 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.