PublicDateAtUSN: 2013-02-05
Candidate: CVE-2013-0240
PublicDate: 2013-04-02 03:22:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0240
 https://ubuntu.com/security/notices/USN-1779-1
Description:
 Gnome Online Accounts (GOA) 3.4.x, 3.6.x before 3.6.3, and 3.7.x before
 3.7.5, does not properly validate SSL certificates when creating accounts
 such as Windows Live and Facebook accounts, which allows man-in-the-middle
 attackers to obtain sensitive information such as credentials by sniffing
 the network.
Ubuntu-Description:
Notes:
 mdeslaur> 3.2 in oneiric and 3.4 in precise only have web backends, so
 mdeslaur> the 3.4 patch will work. In 3.6+, more backends are available
 mdeslaur> that may have invalid certs, but are desirable. The 3.7 patch
 mdeslaur> adds a new configuration item, but this changes API.
 jdstrand> note that CVE-2013-1799 is a result of an incomplete fix for this
  CVE (and pt2 of the patch for 3.6)
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=699825
 https://launchpad.net/bugs/1117411
 https://bugzilla.gnome.org/show_bug.cgi?id=693214
 https://bugzilla.redhat.com/show_bug.cgi?id=894352
Priority: medium
Discovered-by:
Assigned-to: mdeslaur
CVSS: 

Patches_gnome-online-accounts:
 upstream: http://git.gnome.org/browse/gnome-online-accounts/commit/?id=edde7c63326242a60a075341d3fea0be0bc4d80e (3.7)
 upstream: http://git.gnome.org/browse/gnome-online-accounts/commit/?id=d5d229529c498ab8b19c29080dd79930fd353d93 (related)
 upstream: http://git.gnome.org/browse/gnome-online-accounts/commit/?h=gnome-3-4&id=5a3d3862b0765385f38ca1ba2a9e2e74eb0d111d (3.4)
 upstream: https://git.gnome.org/browse/gnome-online-accounts/commit/?h=gnome-3-6&id=ecad8142e9ac519b9fc74b96dcb5531052bbffe1 (3.6 pt1)
 upstream: https://git.gnome.org/browse/gnome-online-accounts/commit/?h=gnome-3-6&id=de6ee1fa825297c6c89cddb767f4da8df6dbfca2 (3.6 related)
 upstream: https://git.gnome.org/browse/gnome-online-accounts/commit/?h=gnome-3-6&id=232bffd1dae3e708f06d83fd802a2218e43ebc5d (3.6 related)
 upstream: https://git.gnome.org/browse/gnome-online-accounts/commit/?h=gnome-3-6&id=229a82872b4c5399c1d3793c46ba5d3e19e1a8ee (3.6 related)
 upstream: https://git.gnome.org/browse/gnome-online-accounts/commit/?h=gnome-3-6&id=55f1171b15d5c307894943a6b753dd8e59b1452d (3.6 related)
 upstream: https://git.gnome.org/browse/gnome-online-accounts/commit/?h=gnome-3-6&id=03aa82a3777885fe3a06db02621852f1f8c429d8 (3.6 related)
 upstream: https://git.gnome.org/browse/gnome-online-accounts/commit/?h=gnome-3-6&id=012dbc6d6cac1ad1696dd11b96ee389f0efbb134 (3.6 related)
 upstream: https://git.gnome.org/browse/gnome-online-accounts/commit/?h=gnome-3-6&id=9cf4bc0ced2c53bcdd36922caa65afc8a167bbd8 (3.6 pt2)
upstream_gnome-online-accounts: released (3.4.2-2,3.6.3)
hardy_gnome-online-accounts: DNE
lucid_gnome-online-accounts: DNE
oneiric_gnome-online-accounts: released (3.2.1-0ubuntu1.1)
precise_gnome-online-accounts: released (3.4.0-0ubuntu1.1)
quantal_gnome-online-accounts: released (3.6.0-0ubuntu1.1)
devel_gnome-online-accounts: released (3.6.2-1ubuntu1)