severity 560067 important thanks Witold Baryluk wrote: > Package: network-manager-gnome > Version: 0.7.2-1 > Severity: grave > Tags: security > Justification: user security hole > > After configuring WPA2 Enterprise with TTLS and PAP, I was using certificate > file > in /etc/ssl/certs/...pem (autmatically imported from > /usr/local/share/ca-certificates/domain/certrootfile.crt) > > > Then i reinstalled system, and not configured certifcates yet. > > After reinstalling system and restoring /home directory, i logged into my new > stystem. > > After giving password to gnome-keyring NM automatically connected to my > network, > even cosindering that it is not existing: > > ** (nm-applet:6704): WARNING **: utils_fill_connection_certs: couldn't read > CA certificate: 4 Nie można otworzyć pliku > "/etc/ssl/certs/SMP_Root_Certification_Authority_2.pem": Nie ma takiego pliku > ani katalogu > > > > But NM thinks that it should connect anyway. And it connects, > possibly leaking my credentials, login and password, and all > keys, and of course network traffic. > > > It should be considerebly more verbose error provided to an user (using > nm-applet), > and NM should abort connecting.
I agree it is a security issue, but imho not such a severe one that severity grave is justified, especially as it only happens under very particular circumstances (thus downgrading to important). This bug is supposedly fixed in the upcoming 0.8 release. If you want to try, I have preliminary packages at [1] and I would be interested if this packages behave better. Cheers, Michael [1] http://debs.michaelbiebl.de/network-manager/ -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth?
signature.asc
Description: OpenPGP digital signature