_linkedin_http_request() sets CURLOPT_SSL_VERIFYPEER to 0, which means that the SSL certificate is not validated, which means that the encrypted connection cannot be trusted. This is vulnerable to man in the middle attacks with DNS spoofing for example. It is always a very bad idea to set CURLOPT_SSL_VERIFYPEER to 0 from a security standpoint.

Since this module does not have a stable release we can handle this security issue in public per our policy: https://drupal.org/security-advisory-policy

Solution: set CURLOPT_SSL_VERIFYPEER to 1 in _linkedin_http_request().

CommentFileSizeAuthor
#1 linkedin-ssl-verify-2154697-1.patch459 bytesklausi

Comments

klausi’s picture

klausi
he/him||they/them
Primary language German
Location 🇦🇹 Vienna
commented
Status: Active » Needs review
StatusFileSize
new linkedin-ssl-verify-2154697-1.patch459 bytes

Patch attached.

davad’s picture

davad commented
Status: Needs review » Fixed

Applied the change to the 7.x and 6.x branches.

klausi’s picture

klausi
he/him||they/them
Primary language German
Location 🇦🇹 Vienna
commented
Status: Fixed » Active

So we need a security release for both branches.

Please create a new release and tag it as security update. I can publish the release nodes for you once they are ready.