Common Vulnerabilities and Exposures assigned an identifier CVE-2010-3900 to the following vulnerability: Midori before 0.2.5, when WebKitGTK+ before 1.1.14 or LibSoup before 2.29.91 is used, does not verify X.509 certificates, which allows man-in-the-middle attackers to spoof arbitrary https web sites via a crafted server certificate, a related issue to CVE-2010-3312. References: [1] http://www.openwall.com/lists/oss-security/2010/09/17/6 [2] http://www.omgubuntu.co.uk/2010/05/midori-0-2-5-released/ [3] http://www.twotoasts.de/bugs/index.php?do=details&task_id=743 [4] http://git.xfce.org/apps/midori/tree/ChangeLog [5] http://www.twotoasts.de/bugs/index.php?do=details&task_id=168 [6] http://www.twotoasts.de/index.php?/archives/30-Validation,-vending-and-Vala.html Note: ===== The current versions of midori packages, as shipped with Fedora release of 12 and 13 are already upstream v0.2.6 based (soon these will be v0.2.8 upstream version based), so it is possible this flaw was already fixed. If that is the case, please provide the link to upstream changeset addressing the issue and close this bug with "CURRENTRELEASE".
I think this is fixed by: http://git.xfce.org/apps/midori/commit/?id=2507f971caa0d556164e09a6e5bbbaa1248119a0
Similar bug for epiphany - bug #636933.
Current Fedora has midori 0.5.10 which should be fixed.