2011/11/29 "Jóhann B. Guðmundsson" <johannbg@xxxxxxxxx>: > On 11/29/2011 10:59 AM, drago01 wrote: >> 2011/11/29 "Jóhann B. Guðmundsson"<johannbg@xxxxxxxxx>: >>> On 11/29/2011 01:19 AM, Peter Robinson wrote: >>>> 2011/11/29 "Jóhann B. Guðmundsson"<johannbg@xxxxxxxxx>: > <snip> >>> Good that CVE-2011-4129 is fixed however I still would like to >>> disable/remove this all together since I have no interest at all having >>> my desktop making arbitrary connections and feeding social network sites >>> what I am doing on the computer behind my back. >> It does not do that. > > Well apparently this one did as in that gave Twitter information on > every successful Fedora 16 user login to gnome shell in default > installation initiating unasked and silent transaction with twitter > without the user consent and no obvious way to disable it, done over an > non verified ssl connection leaving it vulnerable to mitm attack as > Henrik mentions on the CVE. Firstly it didn't give twitter any information what so ever. It attempted to authenticate without an account configured so it sent blank details. The bug in libsocialweb was the fact that it even tried to authenticate when an account wasn't configured. There was a second bug in librest where it didn't verify the ssl connection. This has been fixed as well so with the update MITM issues should be gone, and without an account configured it won't even be attempted. > So whether it did or did not is irrelevant since the risk of application > leaking private information such as you contacts list phone numbers, > email addresses chat contacts or as little as to simply if you are > logged then ofcourse at the same time your location etc. to online > social networking sites for harvesting and further user profiling or to > some unknown location that has hijacked your connection is at hand. Its a failed auth attempt to a https server its not secretly uploading all your contact information or location. > For you that might not matter but to my clients,my family and my friends > it does thus again how can I disable/remove "libsocialweb-core" so I can > reduce the risk/prevent applications from "accidentally" doing that? Without you configuring your account details in there its not actually possible for it to do that. > But given that nobody seems to be able to answer the question on how to > disable/remove it which indicates that the ability to do that does not > exist, does upstream Gnome keep an list of application that are using > "libsocialweb-core" so relevant application can be replaced and > recommended with alternatives that do not use "libsocialweb-core" to > better maintain their desktop privacy? The way to disable or remove it is the same for any package that is dependency in Fedora. Recompile dependant packages without it if you don't like the compile options. I believe the only dependency in this case is folks. > Seriously are we heading the way with Gnome that the Fedora users now > have to grant "Permissions" similar to [1] with each Fedora "Default" > installation for the applications that come with it... No, you can just disconnect your network cable is you dislike it that much. It was a pair of bugs in applications, they happen, they have now been fixed, its really not the conspiracy theory that its being made out to be. There's likely a lot worse around if your audit the millions of lines of code that make up Fedora. Peter Peter -- desktop mailing list desktop@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/desktop
