Mageia Bugzilla – Bug 6330
libgdata new security issue CVE-2012-1177
Last modified: 2012-08-02 21:21:03 CEST
Debian has issued an advisory on June 2:
Note the CVE reference in the advisory is wrong (copy-paste from another advisory). See the Debian bug for the correct CVE reference as well as links to the upstream changes that fixed this.
Also note that this may require an update to libsoup 2.37.91 or newer, or at least a patch to libsoup.
Cauldron/Mageia 2 are not affected as this has been fixed upstream in the versions we have there.
OpenSuSE has issued an advisory for this today (July 11):
Mandriva has issued an advisory for this today (July 25):
The fix from SuSE and Mandriva doesn't require updating libsoup on Mageia 1.
Cauldron and Mageia 2 are also affected, and I have fixed all three versions in SVN.
Mageia 1 and Mageia 2 libgdata packages build fine locally for me.
I submitted the libgdata build in Cauldron and the build failed. Could someone please fix the (autoconf related) build errors in Cauldron?
Build error in Cauldron fixed thanks to Pascal Terjan.
Since this now builds against rootcerts and we need to update it in Mageia 1 and Mageia 2 anyway, I'll provide it with this update.
All updated packages are now uploaded. Assigning to QA.
Updated libgdata packages fix security vulnerability:
It was found that previously libgdata, a GLib-based library for
accessing online service APIs using the GData protocol, did not
perform SSL certificates validation even for secured connections. An
application, linked against the libgdata library and holding the
trust about the other side of the connection being the valid owner
of the certificate, could be tricked into accepting of a spoofed SSL
certificate by mistake (MITM attack) (CVE-2012-1177).
Additionally, because this now builds against the rootcerts package,
rootcerts has been updated to the latest version and nss has been
rebuilt against the new rootcerts package.
Updated packages in core/updates_testing:
Looks to me like all we need to test for this is pop3s access in
evolution, plus standard browsing to https sites works.
After setting up evolution to access a pop3s acccount (localhost/dovecot),
the first attempt to get mail shows
SSL Certificate for 'localhost' is not trusted. Do you wish to accept it?
so clearly it is now checking the connection.
I'll test the other arch and release shortly.
Testing complete on Mageia 2 i586.
Testing complete on Mageia 1 i586 and x86-64.
Could someone from the sysadmin team push this update for
both Mageia 1 and 2.
Please see comment 5 for the list of srpms and advisory.