Bug 922895 - VUL-0: CVE-2015-2330: webkit: WebKitGTK+ late TLS certificate verification
VUL-0: CVE-2015-2330: webkit: WebKitGTK+ late TLS certificate verification
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Federico Mena Quintero
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2015-03-18 10:01 UTC by Marcus Meissner
Modified: 2019-08-30 22:49 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2015-03-18 10:01:57 UTC
via oss-sec


From: Michael Catanzaro <mcatanzaro@igalia.com>
Subject: [oss-security] CVE Request: WebKitGTK+ late TLS certificate verification


WebKitGTK+ [1] prior to 2.7.92 performed TLS certificate verification
too late, after sending an HTTP request rather than before. The issue
may be corrected for WebKitGTK+ 2.6.5 and WebKitGTK+ 2.4.8 using the
patch at [2]. Applications are affected if they use the WebKit2GTK+ API
with WEBKIT_TLS_ERRORS_POLICY_FAIL. (This policy is the default in
WebKitGTK+ 2.6.2 and later; applications using earlier versions of
WebKitGTK+ must opt-in to certificate verification failures by calling
webkit_web_context_set_tls_errors_policy.) Applications using the
original WebKitGTK+ 1 API are unaffected because they must handle
certificate verification themselves.

Please assign a CVE for this issue.



[1] http://webkitgtk.org/
Comment 1 Scott Reeves 2015-03-18 22:05:41 UTC
Federico - can you add this on top of the pending 2.4.4 upgrade...
Comment 2 Scott Reeves 2015-03-18 22:06:39 UTC
(In reply to Scott Reeves from comment #1)
> Federico - can you add this on top of the pending 2.4.4 upgrade...

Comment 3 Swamp Workflow Management 2015-03-18 23:00:21 UTC
bugbot adjusting priority
Comment 4 Federico Mena Quintero 2015-03-19 02:12:25 UTC
Yes, let me see if the CVE is public in the webkit commits yet.
Comment 5 Federico Mena Quintero 2015-03-19 23:20:40 UTC
Pulling in the patch from upstream.
Comment 6 Federico Mena Quintero 2015-03-21 01:18:43 UTC
Submitted an updated webkitgtk-2.4.8 to the IBS with request id 53642.