[arch-security] [ASA-201505-19] webkitgtk2: man-in-the-middle
Arch Linux Security Advisory ASA-201505-19 ========================================== Severity: Medium Date : 2015-05-26 CVE-ID : CVE-2015-2330 Package : webkitgtk2 Type : man-in-the-middle Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE Summary ======= The package webkitgtk2 before version 2.4.9-1 is vulnerable to man-in-the-middle. Resolution ========== Upgrade to 2.4.9-1. # pacman -Syu "webkitgtk2>=2.4.9-1" The problem has been fixed upstream in version 2.4.9. Workaround ========== None. Description =========== It was found that WebKitGTK+ version performed TLS certificate verification too late, after sending an HTTP request rather than before. This issue allows a man-in-the-middle attack to possibly gain sensitive information. Impact ====== A remote attacker is able to perform a man-in-the-middle attack via a crafted TLS certificate to obtain sensitive information. References ========== http://www.openwall.com/lists/oss-security/2015/03/18/4 https://access.redhat.com/security/cve/CVE-2015-2330 https://bugs.archlinux.org/task/44237
participants (1)
-
Levente Polyak