Your message dated Tue, 05 Feb 2013 17:47:39 +0000 with message-id <e1u2mcn-0003iu...@franck.debian.org> and subject line Bug#699825: fixed in gnome-online-accounts 3.4.2-2 has caused the Debian Bug report #699825, regarding CVE-2013-0240: fails to verify SSL certificates when creating accounts to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 699825: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=699825 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: gnome-online-accounts Version: 3.4.2-1 Severity: grave Tags: security pending Justification: user security hole I discovered this vulnerability, which was just made public on oss-security: > it was found that Gnome Online Accounts (GOA) > did not perform SSL certificate validation, when > performing Windows Live and Facebook accounts creation. > A remote attacker could use this flaw to conduct > man-in-the-middle (MiTM) attacks, possibly leading > to their ability to obtain sensitive information. It's fixed in upstream master. I have a backport to 3.4 on the way (it needs testing though). 3.6 in experimental is also affected. I've asked upstream for a backported patch for 3.6, we'll see what happens... S
--- End Message ---
--- Begin Message ---Source: gnome-online-accounts Source-Version: 3.4.2-2 We believe that the bug you reported is fixed in the latest version of gnome-online-accounts, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 699...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Simon McVittie <s...@debian.org> (supplier of updated gnome-online-accounts package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Tue, 05 Feb 2013 15:51:24 +0000 Source: gnome-online-accounts Binary: gnome-online-accounts libgoa-1.0-0 libgoa-1.0-dev libgoa-1.0-common libgoa-1.0-doc gir1.2-goa-1.0 Architecture: source all amd64 Version: 3.4.2-2 Distribution: unstable Urgency: medium Maintainer: Debian GNOME Maintainers <pkg-gnome-maintain...@lists.alioth.debian.org> Changed-By: Simon McVittie <s...@debian.org> Description: gir1.2-goa-1.0 - Introspection data for GNOME Online Accounts gnome-online-accounts - GNOME Online Accounts libgoa-1.0-0 - library for GNOME Online Accounts libgoa-1.0-common - library for GNOME Online Accounts - common files libgoa-1.0-dev - library for GNOME Online Accounts - development files libgoa-1.0-doc - library for GNOME Online Accounts - documentation files Closes: 699825 Changes: gnome-online-accounts (3.4.2-2) unstable; urgency=medium . * Team upload. * CVE-2013-0240: check TLS certificates for web services (Closes: #699825) Checksums-Sha1: bc67b7978dff4ba028131692d6f2c6d2e66b51ed 2723 gnome-online-accounts_3.4.2-2.dsc 416afaf6608d998a1f22e16b0f0e861ac2ac7ff6 6980 gnome-online-accounts_3.4.2-2.debian.tar.gz 222038a84bce14d19d96aaead5a1c23f18c1d39b 57270 libgoa-1.0-common_3.4.2-2_all.deb 7d6d5489f401c1a196427eadffd0540791d950f2 70264 libgoa-1.0-doc_3.4.2-2_all.deb 47e373668f17b84c41a8b1ef269a037ea3b469e9 79538 gnome-online-accounts_3.4.2-2_amd64.deb a62ab6c4dee7cfd4ee19c3ff9d0c19e47ffe15fe 74510 libgoa-1.0-0_3.4.2-2_amd64.deb afb36953e5936175a2bfa53ff09a802d662a7b61 29744 libgoa-1.0-dev_3.4.2-2_amd64.deb d31ca0e228800df7ee04e910f17c7aef0adc94e7 12642 gir1.2-goa-1.0_3.4.2-2_amd64.deb Checksums-Sha256: d7f4f256ad622c0f98f19d00d8f25c769876cfdaf483d68ca4ec13d8998d9889 2723 gnome-online-accounts_3.4.2-2.dsc d2d524ddc32543f754a87b20249f94bd3f561c9168d323f3efbe75711f8f02a5 6980 gnome-online-accounts_3.4.2-2.debian.tar.gz 5b7dafad49b44d659303e1e356f8d0eb93c95d9c61862c699924d18d2b95b0fc 57270 libgoa-1.0-common_3.4.2-2_all.deb f18eb25d0269cfa8904af579d744722e28e5a3f80e7d9c0b1c6d3f4e7c829cbc 70264 libgoa-1.0-doc_3.4.2-2_all.deb 6e613b244aff68fb22534bfef0b313284e0f253b8d2f054dd779c252d5b17232 79538 gnome-online-accounts_3.4.2-2_amd64.deb e1b47ce285dff889bdbd2baddadca349e0975bcbb796977f8a3d26092095d918 74510 libgoa-1.0-0_3.4.2-2_amd64.deb 5d6fdf497e61f63768b0a4d9498acb440e2467327bf6aa618a1923e90fbfa9c4 29744 libgoa-1.0-dev_3.4.2-2_amd64.deb db84a16ae11a238739f7ba423a35c2e74f8af4aaed22fe0fed5d4793325f1906 12642 gir1.2-goa-1.0_3.4.2-2_amd64.deb Files: f45a33b7f835d886b56862d40e70df74 2723 gnome optional gnome-online-accounts_3.4.2-2.dsc f8fb1af54b60d7942ed9eb9e6d4c11ad 6980 gnome optional gnome-online-accounts_3.4.2-2.debian.tar.gz 706a9b0e1c84e349cea73bb1ffdb07b4 57270 libs optional libgoa-1.0-common_3.4.2-2_all.deb 56bac76e3b421882916ea2e0b39aaa5d 70264 doc optional libgoa-1.0-doc_3.4.2-2_all.deb 60dc13bcba588e4e3806e4086cefb47b 79538 gnome optional gnome-online-accounts_3.4.2-2_amd64.deb 7d53eac3b0f1e89813d2fbca1c2cb383 74510 libs optional libgoa-1.0-0_3.4.2-2_amd64.deb 20304e2d30e210ec18d5c47a0ce3e665 29744 libdevel optional libgoa-1.0-dev_3.4.2-2_amd64.deb d9e5c24bfbca29313cca57bff4eab513 12642 introspection optional gir1.2-goa-1.0_3.4.2-2_amd64.deb -----BEGIN PGP SIGNATURE----- iQIVAwUBURFBjU3o/ypjx8yQAQjHaA/+INuAshVDGjLWPHkZj4eqRBQskTb5dcY0 oB0O1d90swkoVEpbR9z7oUfq7Tjr9sE9iF/KNbpvUiy5Eoc8J8r7cCi+cj+iux8z 7apzTVkLxrksbDDhocbk2H1IGXnw/Kql/fvVi95QDWPH3MHk430cWRVWnJ8J0ICA kn/AHWcq+7h42qS1Fj8YRSNbYxG9KBj77K1E9uOoIeUqR/zOzqu+jps1ORTOv9QY HvgWiXjlvz12qeV9tUs01FmmUXCXS/KfXjtcTM7akYeaH6BbL6mFud+Ry4vszXhP cCYCJMWBISqM1+VMck7q9ECsnzf3ft+j0xQx0D3nAeuumqrJouuxhrZXrN2xEKGm hULigUWPFONrLNXB8aZJ8C4piqV/GYuaklFpdhthebCxk7fUDQ8ihhYTtHoj62+c ob/8cel/qjLp3bqaBessZCHOxeuWnsnZnXBgt0K1CGkMvu3+XuEzmhWWbEbLnPeX IgCFPErE+dSByYB8BrAZLxstdkn2w8mSdpBYWaJceC960aYXyPYUCDXD0fJmWhrL 372UE7rduucAYUpPsbo13E0r/XdUCGtRy80uMXqZ071hh8TZK92K/EDzc8YzVgLD iKGFCl7ISonwfnOxYetTos5U+E3LFx+nqhdqRMSVvWrFGzC7Wl8bWzKUU/hdDB/d JD9cwS76kks= =fhBb -----END PGP SIGNATURE-----
--- End Message ---
