CVE-2012-2132

Publication date 20 August 2012

Last updated 24 July 2024

Ubuntu priority

libsoup 2.32.2 and earlier does not validate certificates or clear the trust flag when the ssl-ca-file does not exist, which allows remote attackers to bypass authentication by connecting with a SSL connection.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
libsoup2.4	12.04 LTS precise	Ignored
	11.10 oneiric	Ignored
	11.04 natty	Ignored
	10.04 LTS lucid	Ignored
	8.04 LTS hardy	Ignored end of life

How can I get the fixes?
What do statuses mean?

Notes

mdeslaur

This isn't actually a flaw in libsoup, it's a flaw in applications that don't set ssl-strict, and don't set ssl-ca-file, but expect SOUP_MESSAGE_CERTIFICATE_TRUSTED to mean something. Applications should either set a ssl-ca-file, or ignore SOUP_MESSAGE_CERTIFICATE_TRUSTED. We aren't going to fix this in libsoup. Applications should be fixed instead. Marked as ignored.

References

MITRE
NVD
Launchpad
Debian

Other references

http://www.openwall.com/lists/oss-security/2012/04/24
https://www.cve.org/CVERecord?id=CVE-2012-2132