FreeBSD : shotwell -- not verifying certificates (448047e9-030e-4ce4-910b-f21a3ad5d9a0)

High Nessus Plugin ID 88603


The remote FreeBSD host is missing a security-related update.


Michael Catanzaro reports :

Shotwell has a serious security issue ('Shotwell does not verify TLS certificates'). Upstream is no longer active and I do not expect any further upstream releases unless someone from the community steps up to maintain it.

What is the impact of the issue? If you ever used any of the publish functionality (publish to Facebook, publish to Flickr, etc.), your passwords may have been stolen; changing them is not a bad idea.

What is the risk of the update? Regressions. The easiest way to validate TLS certificates was to upgrade WebKit; it seems to work but I don't have accounts with the online services it supports, so I don't know if photo publishing still works properly on all the services.


Update the affected package.

See Also

Plugin Details

Severity: High

ID: 88603

File Name: freebsd_pkg_448047e9030e4ce4910bf21a3ad5d9a0.nasl

Version: $Revision: 2.1 $

Type: local

Published: 2016/02/08

Modified: 2016/02/08

Dependencies: 12634

Risk Information

Risk Factor: High

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:shotwell, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Patch Publication Date: 2016/02/05

Vulnerability Publication Date: 2016/01/06