Upstream has released telepathy-idle 0.1.15 on April 24: http://lists.freedesktop.org/archives/telepathy/2013-April/006431.html The issue is that it doesn't validate SSL certificates when connecting to an IRC server with SSL. Freeze push requested for 0.1.15 in Cauldron. Updated package uploaded for Mageia 2. Note to QA: You can test telepathy-idle with an IRC account in empathy. Using SSL, it should only connect if the SSL certificate is trusted by the system CA certs. Advisory: ======================== Updated telepathy-idle package fixes security vulnerability: In versions prior to 0.1.15, telepathy-idle does not check the server's SSL/TLS certificate for validity. A network intermediary could use this flaw to carry out man-in-the-middle attacks on IRC users (CVE-2007-6746). The telepathy-idle package has been updated to version to 0.1.15 to fix this issue as well as several other bugs. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6746 http://lists.freedesktop.org/archives/telepathy/2013-April/006431.html https://bugs.freedesktop.org/show_bug.cgi?id=63810 http://lists.freedesktop.org/archives/telepathy/2012-November/006304.html http://lists.freedesktop.org/archives/telepathy/2012-November/006303.html http://lists.freedesktop.org/archives/telepathy/2012-August/006220.html ======================== Updated packages in core/updates_testing: ======================== telepathy-idle-0.1.15-1.mga2 from telepathy-idle-0.1.15-1.mga2.src.rpm Reproducible: Steps to Reproduce:
telepathy-idle-0.1.15-1.mga3 is uploaded in Cauldron.
Fedora has issued an advisory for this: http://lists.fedoraproject.org/pipermail/package-announce/2013-May/104397.html
URL: (none) => http://lwn.net/Vulnerabilities/549233/
telepathy-idle 0.1.16 was released to fix some regressions and shortcomings (such as not working with self-signed-certs) in 0.1.15: http://lists.freedesktop.org/archives/telepathy/2013-May/006434.html I had to patch it to build with telepathy-glib 0.18.x in Mageia 2, due to a header reorganization in telepathy-glib 0.20.x, but that was pretty easy. I reported this upstream. telepathy-idle 0.1.16 uploaded for Mageia 2 and Cauldron. Addendum to previous note to QA: It sounds like they've added the ability to interactively verify whether or not to allow untrusted certificates. Advisory: ======================== Updated telepathy-idle package fixes security vulnerability: In versions prior to 0.1.15, telepathy-idle does not check the server's SSL/TLS certificate for validity. A network intermediary could use this flaw to carry out man-in-the-middle attacks on IRC users (CVE-2007-6746). The telepathy-idle package has been updated to version to 0.1.16 to fix this issue as well as several other bugs. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6746 http://lists.freedesktop.org/archives/telepathy/2013-May/006434.html http://lists.freedesktop.org/archives/telepathy/2013-April/006431.html https://bugs.freedesktop.org/show_bug.cgi?id=63810 http://lists.freedesktop.org/archives/telepathy/2012-November/006304.html http://lists.freedesktop.org/archives/telepathy/2012-November/006303.html http://lists.freedesktop.org/archives/telepathy/2012-August/006220.html ======================== Updated packages in core/updates_testing: ======================== telepathy-idle-0.1.16-1.mga2 from telepathy-idle-0.1.16-1.mga2.src.rpm
Testing complete mga2 64 Now gives certificate warning for self-signed connections.
Whiteboard: (none) => mga2-64-ok
Whiteboard: mga2-64-ok => has_procedure mga2-64-ok
Severity: normal => major
Testing complete mga2 32 Validating Advisory & srpm in comment 3 Could sysadmin please push from core/updates_testing to core/updates Thanks!
Keywords: (none) => validated_updateWhiteboard: has_procedure mga2-64-ok => has_procedure mga2-64-ok mga2-32-okCC: (none) => sysadmin-bugs
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0144
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED