Debian Bug report logs -
#699825
CVE-2013-0240: fails to verify SSL certificates when creating accounts
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>:
Bug#699825; Package gnome-online-accounts.
(Tue, 05 Feb 2013 16:48:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Simon McVittie <smcv@debian.org>:
New Bug report received and forwarded. Copy sent to Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>.
(Tue, 05 Feb 2013 16:48:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: gnome-online-accounts
Version: 3.4.2-1
Severity: grave
Tags: security pending
Justification: user security hole
I discovered this vulnerability, which was just made public on oss-security:
> it was found that Gnome Online Accounts (GOA)
> did not perform SSL certificate validation, when
> performing Windows Live and Facebook accounts creation.
> A remote attacker could use this flaw to conduct
> man-in-the-middle (MiTM) attacks, possibly leading
> to their ability to obtain sensitive information.
It's fixed in upstream master.
I have a backport to 3.4 on the way (it needs testing though).
3.6 in experimental is also affected. I've asked upstream for a backported
patch for 3.6, we'll see what happens...
S
Reply sent
to Simon McVittie <smcv@debian.org>:
You have taken responsibility.
(Tue, 05 Feb 2013 17:51:17 GMT) (full text, mbox, link).
Notification sent
to Simon McVittie <smcv@debian.org>:
Bug acknowledged by developer.
(Tue, 05 Feb 2013 17:51:17 GMT) (full text, mbox, link).
Message #10 received at 699825-close@bugs.debian.org (full text, mbox, reply):
Source: gnome-online-accounts
Source-Version: 3.4.2-2
We believe that the bug you reported is fixed in the latest version of
gnome-online-accounts, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 699825@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Simon McVittie <smcv@debian.org> (supplier of updated gnome-online-accounts package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 05 Feb 2013 15:51:24 +0000
Source: gnome-online-accounts
Binary: gnome-online-accounts libgoa-1.0-0 libgoa-1.0-dev libgoa-1.0-common libgoa-1.0-doc gir1.2-goa-1.0
Architecture: source all amd64
Version: 3.4.2-2
Distribution: unstable
Urgency: medium
Maintainer: Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>
Changed-By: Simon McVittie <smcv@debian.org>
Description:
gir1.2-goa-1.0 - Introspection data for GNOME Online Accounts
gnome-online-accounts - GNOME Online Accounts
libgoa-1.0-0 - library for GNOME Online Accounts
libgoa-1.0-common - library for GNOME Online Accounts - common files
libgoa-1.0-dev - library for GNOME Online Accounts - development files
libgoa-1.0-doc - library for GNOME Online Accounts - documentation files
Closes: 699825
Changes:
gnome-online-accounts (3.4.2-2) unstable; urgency=medium
.
* Team upload.
* CVE-2013-0240: check TLS certificates for web services (Closes: #699825)
Checksums-Sha1:
bc67b7978dff4ba028131692d6f2c6d2e66b51ed 2723 gnome-online-accounts_3.4.2-2.dsc
416afaf6608d998a1f22e16b0f0e861ac2ac7ff6 6980 gnome-online-accounts_3.4.2-2.debian.tar.gz
222038a84bce14d19d96aaead5a1c23f18c1d39b 57270 libgoa-1.0-common_3.4.2-2_all.deb
7d6d5489f401c1a196427eadffd0540791d950f2 70264 libgoa-1.0-doc_3.4.2-2_all.deb
47e373668f17b84c41a8b1ef269a037ea3b469e9 79538 gnome-online-accounts_3.4.2-2_amd64.deb
a62ab6c4dee7cfd4ee19c3ff9d0c19e47ffe15fe 74510 libgoa-1.0-0_3.4.2-2_amd64.deb
afb36953e5936175a2bfa53ff09a802d662a7b61 29744 libgoa-1.0-dev_3.4.2-2_amd64.deb
d31ca0e228800df7ee04e910f17c7aef0adc94e7 12642 gir1.2-goa-1.0_3.4.2-2_amd64.deb
Checksums-Sha256:
d7f4f256ad622c0f98f19d00d8f25c769876cfdaf483d68ca4ec13d8998d9889 2723 gnome-online-accounts_3.4.2-2.dsc
d2d524ddc32543f754a87b20249f94bd3f561c9168d323f3efbe75711f8f02a5 6980 gnome-online-accounts_3.4.2-2.debian.tar.gz
5b7dafad49b44d659303e1e356f8d0eb93c95d9c61862c699924d18d2b95b0fc 57270 libgoa-1.0-common_3.4.2-2_all.deb
f18eb25d0269cfa8904af579d744722e28e5a3f80e7d9c0b1c6d3f4e7c829cbc 70264 libgoa-1.0-doc_3.4.2-2_all.deb
6e613b244aff68fb22534bfef0b313284e0f253b8d2f054dd779c252d5b17232 79538 gnome-online-accounts_3.4.2-2_amd64.deb
e1b47ce285dff889bdbd2baddadca349e0975bcbb796977f8a3d26092095d918 74510 libgoa-1.0-0_3.4.2-2_amd64.deb
5d6fdf497e61f63768b0a4d9498acb440e2467327bf6aa618a1923e90fbfa9c4 29744 libgoa-1.0-dev_3.4.2-2_amd64.deb
db84a16ae11a238739f7ba423a35c2e74f8af4aaed22fe0fed5d4793325f1906 12642 gir1.2-goa-1.0_3.4.2-2_amd64.deb
Files:
f45a33b7f835d886b56862d40e70df74 2723 gnome optional gnome-online-accounts_3.4.2-2.dsc
f8fb1af54b60d7942ed9eb9e6d4c11ad 6980 gnome optional gnome-online-accounts_3.4.2-2.debian.tar.gz
706a9b0e1c84e349cea73bb1ffdb07b4 57270 libs optional libgoa-1.0-common_3.4.2-2_all.deb
56bac76e3b421882916ea2e0b39aaa5d 70264 doc optional libgoa-1.0-doc_3.4.2-2_all.deb
60dc13bcba588e4e3806e4086cefb47b 79538 gnome optional gnome-online-accounts_3.4.2-2_amd64.deb
7d53eac3b0f1e89813d2fbca1c2cb383 74510 libs optional libgoa-1.0-0_3.4.2-2_amd64.deb
20304e2d30e210ec18d5c47a0ce3e665 29744 libdevel optional libgoa-1.0-dev_3.4.2-2_amd64.deb
d9e5c24bfbca29313cca57bff4eab513 12642 introspection optional gir1.2-goa-1.0_3.4.2-2_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQIVAwUBURFBjU3o/ypjx8yQAQjHaA/+INuAshVDGjLWPHkZj4eqRBQskTb5dcY0
oB0O1d90swkoVEpbR9z7oUfq7Tjr9sE9iF/KNbpvUiy5Eoc8J8r7cCi+cj+iux8z
7apzTVkLxrksbDDhocbk2H1IGXnw/Kql/fvVi95QDWPH3MHk430cWRVWnJ8J0ICA
kn/AHWcq+7h42qS1Fj8YRSNbYxG9KBj77K1E9uOoIeUqR/zOzqu+jps1ORTOv9QY
HvgWiXjlvz12qeV9tUs01FmmUXCXS/KfXjtcTM7akYeaH6BbL6mFud+Ry4vszXhP
cCYCJMWBISqM1+VMck7q9ECsnzf3ft+j0xQx0D3nAeuumqrJouuxhrZXrN2xEKGm
hULigUWPFONrLNXB8aZJ8C4piqV/GYuaklFpdhthebCxk7fUDQ8ihhYTtHoj62+c
ob/8cel/qjLp3bqaBessZCHOxeuWnsnZnXBgt0K1CGkMvu3+XuEzmhWWbEbLnPeX
IgCFPErE+dSByYB8BrAZLxstdkn2w8mSdpBYWaJceC960aYXyPYUCDXD0fJmWhrL
372UE7rduucAYUpPsbo13E0r/XdUCGtRy80uMXqZ071hh8TZK92K/EDzc8YzVgLD
iKGFCl7ISonwfnOxYetTos5U+E3LFx+nqhdqRMSVvWrFGzC7Wl8bWzKUU/hdDB/d
JD9cwS76kks=
=fhBb
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 11 Mar 2013 07:26:05 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:56:30 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon