libgdata does not validate SSL certificates
Bug #938812 reported by
Vreixo Formoso
This bug affects 2 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
libgdata |
Fix Released
|
Critical
|
|||
libgdata (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | ||
Lucid |
Fix Released
|
Medium
|
Unassigned | ||
Maverick |
Won't Fix
|
Medium
|
Unassigned | ||
Natty |
Fix Released
|
Medium
|
Unassigned | ||
Oneiric |
Won't Fix
|
Medium
|
Unassigned | ||
Precise |
Fix Released
|
Medium
|
Unassigned |
Bug Description
When accessing google services over SSL, the certificate is not validated, which allows a MITM attack that can expose user name and password. This bug can be easily exploited using a tool such as sslsniff. At least evolution is affected by this bug (see bug #933659).
Changed in libgdata (Ubuntu): | |
status: | New → Triaged |
visibility: | private → public |
Changed in libgdata (Ubuntu Lucid): | |
status: | New → Confirmed |
Changed in libgdata (Ubuntu Maverick): | |
status: | New → Confirmed |
Changed in libgdata (Ubuntu Natty): | |
status: | New → Confirmed |
Changed in libgdata (Ubuntu Oneiric): | |
status: | New → Confirmed |
Changed in libgdata (Ubuntu Precise): | |
status: | Triaged → Fix Released |
Changed in libgdata (Ubuntu Lucid): | |
importance: | Undecided → Medium |
Changed in libgdata (Ubuntu Maverick): | |
importance: | Undecided → Medium |
Changed in libgdata (Ubuntu Natty): | |
importance: | Undecided → Medium |
Changed in libgdata (Ubuntu Oneiric): | |
importance: | Undecided → Medium |
Changed in libgdata (Ubuntu Precise): | |
importance: | Undecided → Medium |
Changed in libgdata: | |
importance: | Unknown → Critical |
status: | Unknown → Fix Released |
To post a comment you must log in.
I've sent the report upstream, thanks.