FreeBSD : shotwell -- not verifying certificates (448047e9-030e-4ce4-910b-f21a3ad5d9a0)

high Nessus Plugin ID 88603

Synopsis

The remote FreeBSD host is missing a security-related update.

Description

Michael Catanzaro reports :

Shotwell has a serious security issue ('Shotwell does not verify TLS certificates'). Upstream is no longer active and I do not expect any further upstream releases unless someone from the community steps up to maintain it.

What is the impact of the issue? If you ever used any of the publish functionality (publish to Facebook, publish to Flickr, etc.), your passwords may have been stolen; changing them is not a bad idea.

What is the risk of the update? Regressions. The easiest way to validate TLS certificates was to upgrade WebKit; it seems to work but I don't have accounts with the online services it supports, so I don't know if photo publishing still works properly on all the services.

Solution

Update the affected package.

See Also

http://www.nessus.org/u?a4a937fd

http://www.nessus.org/u?fda5d6e5

Plugin Details

Severity: High

ID: 88603

File Name: freebsd_pkg_448047e9030e4ce4910bf21a3ad5d9a0.nasl

Version: 2.3

Type: local

Published: 2/8/2016

Updated: 1/4/2021

Supported Sensors: Nessus

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:shotwell, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Patch Publication Date: 2/5/2016

Vulnerability Publication Date: 1/6/2016