https://bugzilla.novell.com/show_bug.cgi?id=777228 https://bugzilla.novell.com/show_bug.cgi?id=777228#c0 Summary: VUL-0: editing WPA2 Enterprise connections makes them insecure again Classification: openSUSE Product: openSUSE 12.2 Version: RC 2 Platform: Other OS/Version: Other Status: NEW Severity: Major Priority: P5 - None Component: Security AssignedTo: glin@suse.com ReportedBy: lnussel@suse.com QAContact: qa-bugs@suse.de CC: security-team@suse.de Found By: --- Blocker: --- In Gnome when editing a WPA2 enterprise connection that has a hash in 'ca-cert' the ca-cert setting disappears from the config file. IOW the cert pinning feature gets lost and wpa_supplicant will not check certificates at all anymore then. Ie re-introduction of CVE-2006-7246 To reproduce connect to a WPA2 enterprise network without selecting a CA certificate. NM will automatically add the probed hash of the server cert to the config -> good. Now edit the connection and e.g. uncheck the autoconnect option. After saving the 'ca-cert' setting with the hash is gone -> bad. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.