On Wed, Apr 24, 2013 at 05:39:59PM +0100, Simon McVittie wrote:
> On 24/04/13 17:05, Simon McVittie wrote:
> > On Wed, 24 Apr 2013 at 16:25:46 +0100, Simon McVittie wrote:
> >> telepathy-idle < 0.1.15 does not verify that the server's TLS certificate
> >> was
> >> issued by a trusted CA, or that it hasn't expired, or that it matches the
> >> server's hostname.
> >
> > Here is a proposed patch for wheezy, either via t-p-u for wheezy r0 or
> > security/s-p-u for wheezy r1.
>
> Security team: wheezy is vulnerable to this, and has a somewhat older
> upstream version than unstable (so it can't migrate that way). How do
> you want us to deal with this? I've re-attached the proposed patch for
> wheezy for your reference.
>
> I've requested a CVE ID on oss-security.
>
> I don't have a patch for squeeze, which would require implementing
> OpenSSL cert-checking in long-superseded code.
>
> I don't think this is RC, particularly for squeeze: IRC is typically
> used without SSL, and the telepathy-idle version in squeeze is a pretty
> poor IRC implementation in general. It's telling that this is the one
> Telepathy component that has never had a stable-branch...
Please fix this through a point update for Wheezy post release.
Cheers,
Moritz
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
