Bug#993592: probably not vulnerable? Re: #993592 CVE-2021-39359
Salvatore Bonaccorso
carnil at debian.org
Mon Dec 9 21:13:41 GMT 2024
Hi,
On Mon, Dec 09, 2024 at 08:01:32PM +0000, Rebecca N. Palmer wrote:
> This *probably* doesn't affect Debian stable (5.2.10-3) and later, as they
> were built --without-libsoup (to avoid an unrelated crash, #1017528), and
> the description and upstream fix suggest that the vulnerable functionality
> requires libsoup. Is this enough evidence to mark it as non-vulnerable in
> the security tracker, and if so, what is the process for doing so?
>
> It probably does affect oldstable and earlier, but given its 'minor' status
> in the security tracker, this might not be worth fixing. As noted earlier
> in the bug, it has been properly fixed in unstable.
As we track it on source-code level, not not-affected, but if the
issue has not an impact we might change it to <ignored> rather than
<no-dsa> and put it away from the radar.
But what happens if built with --without-libsoup, I guess then TLS
certificate validation is absent as well what are the consequences?
Regards,
Salvatore
More information about the pkg-gnome-maintainers
mailing list