1618
Comment:
|
2641
|
Deletions are marked like this. | Additions are marked like this. |
Line 7: | Line 7: |
||'''appplication'''||'''in Debian'''||'''Debian Bug'''||'''Upstream Bug'''||'''library used'''||'''affected parts'''|| ||[[http://gwibber.com/|gwibber]]||Yes||[[http://bugs.debian.org/608724|#608724]]||[[https://bugs.launchpad.net/gwibber/+bug/705363|LP:705363]]||python's urllib2||reported against identi.ca backend, looking at the source says all backends|| ||[[http://www.jezra.net/projects/heybuddy|heybuddy]]||No|| || --([[https://bugs.launchpad.net/heybuddy/+bug/798300|LP:798300]])-- ||python's urllib2||identi.ca|| ||[[http://www.hotot.org/|hotot]]||No|| ||[[http://code.google.com/p/hotot/issues/detail?id=388|hotot issue 388]]||python !WebKit?||tested with identi.ca, twitter should be too|| ||[[http://pino-app.appspot.com|pino]]||Yes|| ||[[http://code.google.com/p/pino-twitter/issues/detail?id=339|pino issue 339]]|| ||tested with identi.ca|| ||[[http://pino-app.appspot.com|pino3]]||No|| ||[[https://bitbucket.org/troorl/pino3/issue/21/pino3-should-use-ssl-https-and-validate|pino3 issue 21]]|| ||doesn't SSL at all by default, after patching the identi.ca urls failed as expected|| |
||'''appplication'''||'''vulnerable?'''||'''in Debian'''||'''Debian Bug'''||'''Upstream Bug'''||'''library used'''||'''affected parts'''|| ||[[http://bitlbee.org|bitlbee]]||Yes||Yes|| ||--([[http://bugs.bitlbee.org/bitlbee/ticket/369|BitlBee ticket 369]])--|| ||fixed upstream, not in debian yet, not enabled by default|| ||bti||Yes||Yes|| || || libcurl3-gnutls || identi.ca backend, didn't test twitter || ||choqok||No||Yes|| || || || || ||[[http://gwibber.com/|gwibber]]||Yes||Yes||DebianBug:608724||[[https://bugs.launchpad.net/gwibber/+bug/705363|LP:705363]]||python's urllib2||reported against identi.ca backend, looking at the source says all backends|| ||[[http://www.jezra.net/projects/heybuddy|heybuddy]]||No||No|| || --([[https://bugs.launchpad.net/heybuddy/+bug/798300|LP:798300]])-- ||python's urllib2||identi.ca|| ||[[http://www.hotot.org/|hotot]]||Yes||Yes|| ||[[http://code.google.com/p/hotot/issues/detail?id=388|hotot issue 388]] [[https://github.com/shellex/Hotot/issues/15|closed as not a bug]]||python !WebKit?||tested with identi.ca, twitter should be too|| ||pidgin-microblog||No||Yes|| || ||curl?||does not use SSL by default on identi.ca, fine otherwise|| ||[[http://pino-app.appspot.com|pino]]||Yes||Yes|| ||[[http://code.google.com/p/pino-twitter/issues/detail?id=339|pino issue 339]]|| ||tested with identi.ca|| ||[[http://pino-app.appspot.com|pino3]]||Yes||No|| ||[[https://bitbucket.org/troorl/pino3/issue/21/pino3-should-use-ssl-https-and-validate|pino3 issue 21]]|| librest ||doesn't SSL at all by default, after patching the identi.ca urls failed as expected|| ||[[http://code.google.com/p/qwit/|qwit]]||No||Yes|| || ||qt4|| || ||[[http://www.smuxi.org/|smuxi]]||No||Yes|| || ||mono|| || ||ttytter||No||Yes|| || ||curl||needs -ssl to enable ssl|| ||[[http://turpial.org.ve/|turpial]]||Yes||Yes||DebianBug:631422|| ||python's urllib2||identi.ca does not use HTTPS by default, fails after patching. twitter fails immediately|| ||twidge||No||Yes|| || || || || ||[[http://live.gnome.org/DanielMorales/Twitux|twitux]]||Yes||only lenny|| || ||libsoup||no OAuth support, useless atm|| |
Inspired by gwibber bypasses certificate checking when providing the login/password for OAuth, I started looking in other (microblogging) applications whether they do proper SSL certificate checks or not.
Note 1: While I think paid SSL certificates are snake oil, the user should be able to trust the app that it is connecting to a "verified" (= already known) host.
Note 2: Not all listed apps are packaged in Debian, I'm just abusing wiki.d.o as a "generic" wiki-host.
appplication |
vulnerable? |
in Debian |
Debian Bug |
Upstream Bug |
library used |
affected parts |
Yes |
Yes |
|
|
fixed upstream, not in debian yet, not enabled by default |
||
bti |
Yes |
Yes |
|
|
libcurl3-gnutls |
identi.ca backend, didn't test twitter |
choqok |
No |
Yes |
|
|
|
|
Yes |
Yes |
python's urllib2 |
reported against identi.ca backend, looking at the source says all backends |
|||
No |
No |
|
python's urllib2 |
identi.ca |
||
Yes |
Yes |
|
python WebKit? |
tested with identi.ca, twitter should be too |
||
pidgin-microblog |
No |
Yes |
|
|
curl? |
does not use SSL by default on identi.ca, fine otherwise |
Yes |
Yes |
|
|
tested with identi.ca |
||
Yes |
No |
|
librest |
doesn't SSL at all by default, after patching the identi.ca urls failed as expected |
||
No |
Yes |
|
|
qt4 |
|
|
No |
Yes |
|
|
mono |
|
|
ttytter |
No |
Yes |
|
|
curl |
needs -ssl to enable ssl |
Yes |
Yes |
|
python's urllib2 |
identi.ca does not use HTTPS by default, fails after patching. twitter fails immediately |
||
twidge |
No |
Yes |
|
|
|
|
Yes |
only lenny |
|
|
libsoup |
no OAuth support, useless atm |