CVE-2013-0240
Published: 5 February 2013
Gnome Online Accounts (GOA) 3.4.x, 3.6.x before 3.6.3, and 3.7.x before 3.7.5, does not properly validate SSL certificates when creating accounts such as Windows Live and Facebook accounts, which allows man-in-the-middle attackers to obtain sensitive information such as credentials by sniffing the network.
Notes
Author | Note |
---|---|
mdeslaur | 3.2 in oneiric and 3.4 in precise only have web backends, so the 3.4 patch will work. In 3.6+, more backends are available that may have invalid certs, but are desirable. The 3.7 patch adds a new configuration item, but this changes API. |
jdstrand | note that CVE-2013-1799 is a result of an incomplete fix for this CVE (and pt2 of the patch for 3.6) |