Bug#996590: evolution-rss: CVE-2021-39361: Missing TLS certificate verification
Salvatore Bonaccorso
carnil at debian.org
Fri Oct 15 21:04:33 BST 2021
Source: evolution-rss
Version: 0.3.96-4
Severity: important
Tags: security upstream
Forwarded: https://gitlab.gnome.org/GNOME/evolution-rss/-/issues/11
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Control: found -1 0.3.96-2
Control: found -1 0.3.95-9
Hi,
The following vulnerability was published for evolution-rss.
CVE-2021-39361[0]:
| In GNOME evolution-rss through 0.3.96, network-soup.c does not enable
| TLS certificate verification on the SoupSessionSync objects it
| creates, leaving users vulnerable to network MITM attacks. NOTE: this
| is similar to CVE-2016-20011.
TTBOMK, no fix exists yet at time of writing, bug filled to track the
upstream issue downstream so far.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-39361
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39361
[1] https://gitlab.gnome.org/GNOME/evolution-rss/-/issues/11
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
More information about the pkg-gnome-maintainers
mailing list