Debian has issued an advisory on June 2: http://www.debian.org/security/2012/dsa-2482 Note the CVE reference in the advisory is wrong (copy-paste from another advisory). See the Debian bug for the correct CVE reference as well as links to the upstream changes that fixed this. Also note that this may require an update to libsoup 2.37.91 or newer, or at least a patch to libsoup. Cauldron/Mageia 2 are not affected as this has been fixed upstream in the versions we have there.
CC: (none) => olav
CC: (none) => fundawang
CC: (none) => jani.valimaa
CC: (none) => dmorganec
CC: (none) => cjw
OpenSuSE has issued an advisory for this today (July 11): http://lists.opensuse.org/opensuse-updates/2012-07/msg00023.html
URL: (none) => http://lwn.net/Vulnerabilities/506378/
Mandriva has issued an advisory for this today (July 25): http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:111
The fix from SuSE and Mandriva doesn't require updating libsoup on Mageia 1. Cauldron and Mageia 2 are also affected, and I have fixed all three versions in SVN. Mageia 1 and Mageia 2 libgdata packages build fine locally for me. I submitted the libgdata build in Cauldron and the build failed. Could someone please fix the (autoconf related) build errors in Cauldron?
Version: 1 => CauldronWhiteboard: (none) => MGA2TOO, MGA1TOO
Build error in Cauldron fixed thanks to Pascal Terjan. Since this now builds against rootcerts and we need to update it in Mageia 1 and Mageia 2 anyway, I'll provide it with this update.
All updated packages are now uploaded. Assigning to QA. Advisory: ======================== Updated libgdata packages fix security vulnerability: It was found that previously libgdata, a GLib-based library for accessing online service APIs using the GData protocol, did not perform SSL certificates validation even for secured connections. An application, linked against the libgdata library and holding the trust about the other side of the connection being the valid owner of the certificate, could be tricked into accepting of a spoofed SSL certificate by mistake (MITM attack) (CVE-2012-1177). Additionally, because this now builds against the rootcerts package, rootcerts has been updated to the latest version and nss has been rebuilt against the new rootcerts package. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1177 http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:111 ======================== Updated packages in core/updates_testing: ======================== rootcerts-20120628.00-1.mga1 rootcerts-java-20120628.00-1.mga1 rootcerts-20120628.00-1.mga2 rootcerts-java-20120628.00-1.mga2 nss-3.13.5-1.1.mga1 nss-doc-3.13.5-1.1.mga1 libnss3-3.13.5-1.1.mga1 libnss-devel-3.13.5-1.1.mga1 libnss-static-devel-3.13.5-1.1.mga1 nss-3.13.5-1.1.mga2 nss-doc-3.13.5-1.1.mga2 libnss3-3.13.5-1.1.mga2 libnss-devel-3.13.5-1.1.mga2 libnss-static-devel-3.13.5-1.1.mga2 libgdata-i18n-0.6.6-1.1.mga1 libgdata7-0.6.6-1.1.mga1 libgdata-devel-0.6.6-1.1.mga1 libgdata-i18n-0.12.0-1.1.mga2 libgdata13-0.12.0-1.1.mga2 libgdata-devel-0.12.0-1.1.mga2 libgdata-gir0.0-0.12.0-1.1.mga2 rootcerts-20120628.00-1.mga1.src.rpm rootcerts-20120628.00-1.mga2.src.rpm nss-3.13.5-1.1.mga1.src.rpm nss-3.13.5-1.1.mga2.src.rpm libgdata-0.6.6-1.1.mga1.src.rpm libgdata-0.12.0-1.1.mga2.src.rpm
Version: Cauldron => 2Assignee: bugsquad => qa-bugsWhiteboard: MGA2TOO, MGA1TOO => MGA1TOO
Looks to me like all we need to test for this is pop3s access in evolution, plus standard browsing to https sites works. After setting up evolution to access a pop3s acccount (localhost/dovecot), the first attempt to get mail shows SSL Certificate for 'localhost' is not trusted. Do you wish to accept it? so clearly it is now checking the connection.
CC: (none) => davidwhodginsWhiteboard: MGA1TOO => MGA1TOO has_procedure MGA2-64-OK
I'll test the other arch and release shortly.
Testing complete on Mageia 2 i586.
Whiteboard: MGA1TOO has_procedure MGA2-64-OK => MGA1TOO has_procedure MGA2-64-OK MGA2-32-OK
Whiteboard: MGA1TOO has_procedure MGA2-64-OK MGA2-32-OK => MGA1TOO has_procedure MGA2-64-OK MGA2-32-OK MGA1-32-OK
Testing complete on Mageia 1 i586 and x86-64. Could someone from the sysadmin team push this update for both Mageia 1 and 2. Please see comment 5 for the list of srpms and advisory. https://bugs.mageia.org/show_bug.cgi?id=6330
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsWhiteboard: MGA1TOO has_procedure MGA2-64-OK MGA2-32-OK MGA1-32-OK => MGA1TOO has_procedure MGA2-64-OK MGA2-32-OK MGA1-32-OK MGA1-64-OK
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0190
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED