Bug 1296263 - Security issue in Nuvola Player 2 - no SSL certificate verification
Security issue in Nuvola Player 2 - no SSL certificate verification
Product: Fedora
Classification: Fedora
Component: nuvolaplayer (Show other bugs)
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: MartinKG
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2016-01-06 13:24 EST by Jiří Janoušek
Modified: 2016-09-21 14:51 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2016-09-21 14:51:48 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Jiří Janoušek 2016-01-06 13:24:10 EST
WebKitGTK+ library, used by Nuvola Player 2, comes with a disabled validation of SSL certificates by default. Since Nuvola Player 2 doesn't explicitly turn certificate verification on, it is vulnerable to Man in the middle attack, which may result in a theft of passwords to streaming services or linked third-party accounts (e.g. Facebook if the "Login with Facebook" feature has been used). Nuvola Player team recommends upgrading to Nuvola Player 3, which is not affected by this issue.

Affected versions: All Nuvola Player 2 releases
Fixed in: Nuvola Player 3

Note You need to log in before you can comment on or make changes to this bug.