[Pkg-telepathy-maintainers] Bug#706094: telepathy-idle: does not verify TLS certificates properly
Moritz Mühlenhoff
jmm at inutil.org
Wed May 1 12:40:57 UTC 2013
On Wed, Apr 24, 2013 at 05:39:59PM +0100, Simon McVittie wrote:
> On 24/04/13 17:05, Simon McVittie wrote:
> > On Wed, 24 Apr 2013 at 16:25:46 +0100, Simon McVittie wrote:
> >> telepathy-idle < 0.1.15 does not verify that the server's TLS certificate was
> >> issued by a trusted CA, or that it hasn't expired, or that it matches the
> >> server's hostname.
> >
> > Here is a proposed patch for wheezy, either via t-p-u for wheezy r0 or
> > security/s-p-u for wheezy r1.
>
> Security team: wheezy is vulnerable to this, and has a somewhat older
> upstream version than unstable (so it can't migrate that way). How do
> you want us to deal with this? I've re-attached the proposed patch for
> wheezy for your reference.
>
> I've requested a CVE ID on oss-security.
>
> I don't have a patch for squeeze, which would require implementing
> OpenSSL cert-checking in long-superseded code.
>
> I don't think this is RC, particularly for squeeze: IRC is typically
> used without SSL, and the telepathy-idle version in squeeze is a pretty
> poor IRC implementation in general. It's telling that this is the one
> Telepathy component that has never had a stable-branch...
Please fix this through a point update for Wheezy post release.
Cheers,
Moritz
More information about the Pkg-telepathy-maintainers
mailing list