Bug 1204653 (CVE-2015-2330)
| Summary: | CVE-2015-2330 webkitgtk: TLS certificate late verification | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Martin Prpič <mprpic> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED WONTFIX | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | erik-fedora, huzaifas, martin.sourada, mtasaka, tpopela, tuxator, yselkowi |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | WebKitGTK+ 2.6.5, WebKitGTK+ 2.4.8 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-06-13 21:03:58 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1204654, 1204655, 1204657, 1204658 | ||
| Bug Blocks: | 1204669 | ||
|
Description
Martin Prpič
2015-03-23 10:11:28 UTC
Created webkitgtk tracking bugs for this issue: Affects: epel-7 [bug 1204658] Created mingw-webkitgtk tracking bugs for this issue: Affects: epel-7 [bug 1204657] Created mingw-webkitgtk tracking bugs for this issue: Affects: fedora-all [bug 1204654] Created webkitgtk tracking bugs for this issue: Affects: fedora-all [bug 1204655] Turns out the versioning in Fedora is a bit different and the tracking bugs for Fedora and EPEL should not have been filed: Fedora and EPEL-7 contain webkitgtk, webkitgtk3, and webkitgtk4. webkitgtk3 and webkitgtk are the same sources with the latter being built as a version for gtk+-2.0 with disabled webkit2. On F21, webkitgtk3 WebKit2 is disabled due to the existence of webkitgtk4. To summarize: F22, F23: webkitgtk4 fix included in the 2.7.92 update F21: webkitgtk4 (webkitgtk3 unaffected because of --disable-webkit2) F20: webkitgtk3 (webkitgtk4 does not exist yet) RHEL 6 ships WebKitGTK version 1, which is not affected by this flaw. RHEL 7 does ship the affected version of WebKitGTK. Upstream patch: http://trac.webkit.org/changeset/181074 Webkit connects to the get-headers callback from libsoup, where it verifies the identity of the SSL connection, but by this time it has already started exchange of private data. In gvfs-ftps verification is done from "notify::tls-errors" before any private data is really sent. Evolution has a complicated mechanism for handling this. It connects to the "network-event" signal, and then when the handshake occurs, casts the connection to a GTlsConnection, and connects to the accept-certificate callback. Therefore evolution is not affected by this issue. Statement: This issue affects the version of webkitgtk3 package as shipped with Red Hat Enterprise Linux 7. Red Hat Product Security has rated this issue as having Moderate security impact, a future update may address this flaw. This issue does not affect the version of webkitgtk package as shipped with Red Hat Enterprise Linux 6. This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2015-2330 |