The “secure by default“ release. This fixes missing certificate validation in IRC-over-SSL (CVE ID not yet issued). Upgrading is recommended.
Distributors who ship versions 0.1.11-0.1.14 can correct this flaw by removing the call to g_socket_client_set_tls_validation_flags(), similar to [1]. Versions 0.1.10 and older do not validate certificates at all; no patch is available for these releases. tarball: http://telepathy.freedesktop.org/releases/telepathy-idle/telepathy-idle-0.1.15.tar.gz signature: http://telepathy.freedesktop.org/releases/telepathy-idle/telepathy-idle-0.1.15.tar.gz.asc git: http://cgit.freedesktop.org/telepathy/telepathy-idle Fixes: • Validate TLS certificates properly, preventing man-in-the-middle attacks. (fd.o#63810, Simon) This will be a regression for users of IRC-over-SSL servers/proxies that do not have a certificate trusted by system-wide CA configuration; they will no longer be able to connect. If someone implements fd.o #57130, that will provide the ability for those users to approve additional certificates. • Fix compilation and regression tests with GLib 2.36 (Simon) [1] http://anonscm.debian.org/gitweb/?p=pkg-telepathy/telepathy-idle.git;a=blob;f=debian/patches/0002-Don-t-disable-parts-of-TLS-certificate-validation.patch;h=308f11a5743b75855b1cf63fea9ee14fc1d9eb8c;hb=f94f157221692a3609a3cd27fdc8ec4ed8ab1f23 _______________________________________________ telepathy mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/telepathy
