registry team mailing list archive

Thread
Date

[Bug 705363] [NEW] gwibber bypasses certificate checking when providing the login/password for OAuth

To: registry@xxxxxxxxxxxxxxxxxxx
From: Raphaël Hertzog <hertzog@xxxxxxxxxx>
Date: Thu, 20 Jan 2011 11:09:10 -0000
Reply-to: Bug 705363 <705363@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

*** This bug is a security vulnerability ***

Public security bug reported:

Someone reported this in Debian: http://bugs.debian.org/cgi-
bin/bugreport.cgi?bug=608724

identi.ca had (mistakenly) installed an SSL certificate not recognized
by the installed CA, yet the user has been presented with the OAuth
login screen even if that https connection could not be authentified.

** Affects: gwibber
     Importance: Undecided
         Status: New

** Affects: gwibber (Debian)
     Importance: Unknown
         Status: Unknown

** Visibility changed to: Public

** Bug watch added: Debian Bug tracker #608724
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=608724

** Also affects: gwibber (Debian) via
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=608724
   Importance: Unknown
       Status: Unknown

-- 
You received this bug notification because you are a member of Registry
Administrators, which is subscribed to Gwibber.
https://bugs.launchpad.net/bugs/705363

Title:
  gwibber bypasses certificate checking when providing the
  login/password for OAuth

Follow ups

[Bug 705363] [NEW] gwibber bypasses certificate checking when providing the login/password for OAuth
From: Raphaël Hertzog, 2011-01-20

References

[Bug 705363] [NEW] gwibber bypasses certificate checking when providing the login/password for OAuth
From: Raphaël Hertzog, 2011-01-20