Arch Linux

Please read this before reporting a bug:
https://wiki.archlinux.org/index.php/Reporting_Bug_Guidelines

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#32918 - [libsocialweb] connects with flickr server without user permission (security problem)

Attached to Project: Arch Linux
Opened by Greg (dolby) - Saturday, 01 December 2012, 02:34 GMT
Last edited by Ionut Biru (wonder) - Sunday, 02 December 2012, 08:04 GMT
Task Type Bug Report
Category Packages: Extra
Status Closed
Assigned To Ionut Biru (wonder)
Architecture All
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

services/flickr/flickr.c in libsocialweb before 0.25.21 automatically connects to Flickr when no Flickr account is set, which might allow remote attackers to obtain sensitive information via a man-in-the-middle (MITM) attack.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4511

https://bugzilla.redhat.com/show_bug.cgi?id=863206

http://www.openwall.com/lists/oss-security/2012/10/10/10

Upstream commit: http://git.gnome.org/browse/libsocialweb/commit/?id=8c28ae1d5db5529020652cee3700c75341625503

Upgrading to 0.25.21 is advised instead of applying the above patch as it was released to address this exact issue.
This task depends upon

Closed by  Ionut Biru (wonder)
Sunday, 02 December 2012, 08:04 GMT
Reason for closing:  Fixed

Loading...