LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Fedora alert FEDORA-2011-15839 (libsocialweb)



From:
    	      updates@fedoraproject.org 


To:
    	      package-announce@lists.fedoraproject.org 


Subject:
    	      [SECURITY] Fedora 15 Update: libsocialweb-0.25.20-1.fc15 


Date:
    	      Tue, 29 Nov 2011 00:03:00 +0000


Message-ID:
    	      <20111129000300.DB772210B4@bastion01.phx2.fedoraproject.org>


Archive-link:
    	      Article, Thread
              


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2011-15839
2011-11-13 04:38:51
--------------------------------------------------------------------------------

Name        : libsocialweb
Product     : Fedora 15
Version     : 0.25.20
Release     : 1.fc15
URL         : http://www.gnome.org/
Summary     : A social network data aggregator
Description :
libsocialweb is a social data server which fetches data from the "social web",
such as your friend's blog posts and photos, upcoming events, recently played
tracks, and pending eBay* auctions. It also provides a service to update
your status on web services which support it, such as MySpace* and Twitter*.

--------------------------------------------------------------------------------
Update Information:

CVE-2011-4129

A security flaw was found in the way the libsocialweb, a social network data aggregator, performed
its initialization when this service start was initiated by the dbus daemon. Due to a deficiency in
a way the libsocialweb service was initialized, an untrusted (non-SSL) network connection has been
opened to remote Twitter service servers without explicit approval of the user, running the
libsocialweb service on the local host. A remote attacker could use this flaw to conduct various
MITM attacks and potentially alter integrity of the user account in question.

* libsocialweb: The views will try and fetch content from the web service even if they aren't
configured.

* rest: enforce that the SSL certificate is valid
--------------------------------------------------------------------------------
ChangeLog:

* Sat Nov 12 2011 Peter Robinson <pbrobinson@fedoraproject.org> 0.25.20-1
- update to 0.25.20. Fixes CVE-2011-4129, RHBZ 752022
* Mon Jul  4 2011 Bastien Nocera <bnocera@redhat.com> 0.25.19-1
- Update to 0.25.19
* Wed Jun 15 2011 Peter Robinson <pbrobinson@fedoraproject.org> 0.25.18-1
- Update to 0.25.18
* Sun May 22 2011 Peter Robinson <pbrobinson@fedoraproject.org> 0.25.17-1
- Update to 0.25.17
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #752022 - CVE-2011-4129 libsocialweb: Untrusted connection to Twitter without user's
approval upon service start via dbus
        https://bugzilla.redhat.com/show_bug.cgi?id=752022
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use 
su -c 'yum update libsocialweb' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
_______________________________________________
package-announce mailing list
package-announce@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/package-...
(Log in to post comments)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds