Package: gnome-online-accounts
Version: 3.4.2-1
Severity: grave
Tags: security pending
Justification: user security hole
I discovered this vulnerability, which was just made public on oss-security:
> it was found that Gnome Online Accounts (GOA)
> did not perform SSL certificate validation, when
> performing Windows Live and Facebook accounts creation.
> A remote attacker could use this flaw to conduct
> man-in-the-middle (MiTM) attacks, possibly leading
> to their ability to obtain sensitive information.
It's fixed in upstream master.
I have a backport to 3.4 on the way (it needs testing though).
3.6 in experimental is also affected. I've asked upstream for a backported
patch for 3.6, we'll see what happens...
S
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
