[Telepathy] Announce: telepathy-idle 0.1.15
Simon McVittie
simon.mcvittie at collabora.co.uk
Wed Apr 24 09:07:49 PDT 2013
The “secure by default“ release.
This fixes missing certificate validation in IRC-over-SSL (CVE ID not
yet issued). Upgrading is recommended.
Distributors who ship versions 0.1.11-0.1.14 can correct this flaw by
removing the call to g_socket_client_set_tls_validation_flags(), similar
to [1].
Versions 0.1.10 and older do not validate certificates at all; no patch
is available for these releases.
tarball:
http://telepathy.freedesktop.org/releases/telepathy-idle/telepathy-idle-0.1.15.tar.gz
signature:
http://telepathy.freedesktop.org/releases/telepathy-idle/telepathy-idle-0.1.15.tar.gz.asc
git: http://cgit.freedesktop.org/telepathy/telepathy-idle
Fixes:
• Validate TLS certificates properly, preventing man-in-the-middle
attacks. (fd.o#63810, Simon)
This will be a regression for users of IRC-over-SSL servers/proxies
that do not have a certificate trusted by system-wide CA
configuration; they will no longer be able to connect. If someone
implements fd.o #57130, that will provide the ability for those users
to approve additional certificates.
• Fix compilation and regression tests with GLib 2.36 (Simon)
[1]
http://anonscm.debian.org/gitweb/?p=pkg-telepathy/telepathy-idle.git;a=blob;f=debian/patches/0002-Don-t-disable-parts-of-TLS-certificate-validation.patch;h=308f11a5743b75855b1cf63fea9ee14fc1d9eb8c;hb=f94f157221692a3609a3cd27fdc8ec4ed8ab1f23
More information about the telepathy
mailing list