Launchpad has imported 8 comments from the remote bug at https://bugzilla.redhat.com/show_bug.cgi?id=894352.
If you reply to an imported comment from within Launchpad, your comment will be sent to the remote bug automatically. Read more about Launchpad's inter-bugtracker facilities at https://help.launchpad.net/InterBugTracking. ------------------------------------------------------------------------ On 2013-01-14T13:16:09+00:00 Jan wrote: This issue affects the versions of the gnome-online-accounts package, as shipped with Fedora release of 16 and 17. Reply at: https://bugs.launchpad.net/ubuntu/+source/gnome-online- accounts/+bug/1117411/comments/0 ------------------------------------------------------------------------ On 2013-02-05T15:51:01+00:00 Jan wrote: It was found that Gnome Online Accounts (GOA) did not perform SSL certificate validation, when performing Windows Live and Facebook accounts creation. A remote attacker could use this flaw to conduct man- in-the-middle (MiTM) attacks, possibly leading to their ability to obtain sensitive information. Reply at: https://bugs.launchpad.net/ubuntu/+source/gnome-online- accounts/+bug/1117411/comments/1 ------------------------------------------------------------------------ On 2013-02-05T15:53:06+00:00 Jan wrote: Acknowledgements: Red Hat would like to thank Simon McVittie for reporting this issue. Reply at: https://bugs.launchpad.net/ubuntu/+source/gnome-online- accounts/+bug/1117411/comments/2 ------------------------------------------------------------------------ On 2013-02-05T16:04:47+00:00 Jan wrote: Relevant upstream patch: [1] http://git.gnome.org/browse/gnome-online-accounts/commit/?id=edde7c63326242a60a075341d3fea0be0bc4d80e Reply at: https://bugs.launchpad.net/ubuntu/+source/gnome-online- accounts/+bug/1117411/comments/3 ------------------------------------------------------------------------ On 2013-02-05T16:06:14+00:00 Jan wrote: Created gnome-online-accounts tracking bugs for this issue Affects: fedora-all [bug 908000] Reply at: https://bugs.launchpad.net/ubuntu/+source/gnome-online- accounts/+bug/1117411/comments/4 ------------------------------------------------------------------------ On 2013-02-27T02:41:22+00:00 Fedora wrote: gnome-online-accounts-3.4.2-3.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report. Reply at: https://bugs.launchpad.net/ubuntu/+source/gnome-online- accounts/+bug/1117411/comments/6 ------------------------------------------------------------------------ On 2013-03-19T20:00:45+00:00 Fedora wrote: gnome-online-accounts-3.6.3-1.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report. Reply at: https://bugs.launchpad.net/ubuntu/+source/gnome-online- accounts/+bug/1117411/comments/7 ------------------------------------------------------------------------ On 2013-03-28T18:04:17+00:00 Vincent wrote: Just to note that CVE-2013-1799 was assigned to the incomplete fix present in 3.6.3 and 3.7.5 (I'm presuming some beta or pre-releases). Common Vulnerabilities and Exposures assigned an identifier CVE-2013-0240 to the following vulnerability: Name: CVE-2013-0240 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0240 Assigned: 20121206 Reference: https://mail.gnome.org/archives/gnome-announce-list/2013-March/msg00007.html Reference: https://bugzilla.redhat.com/show_bug.cgi?id=894352 Reference: https://bugzilla.gnome.org/show_bug.cgi?id=693214 Reference: https://git.gnome.org/browse/gnome-online-accounts/commit/?h=gnome-3-6&id=ecad8142e9ac519b9fc74b96dcb5531052bbffe1 Reference: https://git.gnome.org/browse/gnome-online-accounts/commit/?id=bc10fdb68f75f8be84eb698ada08743b9c7c248f Reference: https://git.gnome.org/browse/gnome-online-accounts/commit/?id=edde7c63326242a60a075341d3fea0be0bc4d80e Gnome Online Accounts (GOA) 3.4.x, 3.6.x before 3.6.3, and 3.7.x before 3.7.5, does not properly validate SSL certificates when creating accounts such as Windows Live and Facebook accounts, which allows man-in-the-middle attackers to obtain sensitive information such as credentials by sniffing the network. Common Vulnerabilities and Exposures assigned an identifier CVE-2013-1799 to the following vulnerability: Name: CVE-2013-1799 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1799 Assigned: 20130219 Reference: https://mail.gnome.org/archives/gnome-announce-list/2013-March/msg00007.html Reference: https://mail.gnome.org/archives/gnome-announce-list/2013-March/msg00020.html Reference: https://bugzilla.gnome.org/show_bug.cgi?id=693214 Reference: https://bugzilla.gnome.org/show_bug.cgi?id=695106 Reference: https://git.gnome.org/browse/gnome-online-accounts/commit/?id=9cf4bc0ced2c53bcdd36922caa65afc8a167bbd8 Gnome Online Accounts (GOA) 3.6.x before 3.6.3 and 3.7.x before 3.7.91, does not properly validate SSL certificates when creating accounts for providers who use the libsoup library, which allows man-in-the-middle attackers to obtain sensitive information such as credentials by sniffing the network. NOTE: this issue exists because of an incomplete fix for CVE-2013-0240. I do not believe that CVE-2013-1799 affects us as we have the fixed 3.6.3 and 3.4.2 updates. Can someone confirm that this is indeed the case? Reply at: https://bugs.launchpad.net/ubuntu/+source/gnome-online- accounts/+bug/1117411/comments/9 ** Changed in: gnome-online-accounts (Fedora) Status: Unknown => Fix Released ** Changed in: gnome-online-accounts (Fedora) Importance: Unknown => Medium ** Bug watch added: GNOME Bug Tracker #695106 https://bugzilla.gnome.org/show_bug.cgi?id=695106 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to gnome-online-accounts in Ubuntu. https://bugs.launchpad.net/bugs/1117411 Title: CVE-2013-0240: fails to verify SSL certificates when creating accounts Status in gnome-online-accounts: Fix Released Status in gnome-online-accounts package in Ubuntu: Fix Released Status in gnome-online-accounts package in Debian: Fix Released Status in gnome-online-accounts package in Fedora: Fix Released Bug description: See: https://bugzilla.gnome.org/show_bug.cgi?id=693214 https://bugzilla.redhat.com/show_bug.cgi?id=894352 At the time of writing, there is no patch for the 3.6 series, only for 3.4 and 3.7. To manage notifications about this bug go to: https://bugs.launchpad.net/gnome-online-accounts/+bug/1117411/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
