[v2.6] WebKitGTK: late TLS certificate verification (CVE-2015-2330)
WebKitGTK+ prior to 2.7.92 performed TLS certificate verification too late, after sending an HTTP request rather than before. The issue may be corrected for WebKitGTK+ 2.6.5 and WebKitGTK+ 2.4.8 using a patch.
Applications are affected if they use the WebKit2GTK+ API with WEBKIT_TLS_ERRORS_POLICY_FAIL. (This policy is the default in WebKitGTK+ 2.6.2 and later; applications using earlier versions of WebKitGTK+ must opt-in to certificate verification failures by calling webkit_web_context_set_tls_errors_policy.)
Applications using the original WebKitGTK+ 1 API are unaffected because they must handle certificate verification themselves.
References:
http://seclists.org/oss-sec/2015/q1/871
PATCH:
http://trac.webkit.org/changeset/181074/trunk/Source/WebCore/platform/network/soup/ResourceHandleSoup.cpp
(from redmine: issue id 4142, created on 2015-05-11, closed on 2017-09-05)
- Relations:
- parent #4141