Bug#1123738: Errands skipping TLS checks: okay to fix via stable-updates no-DSA?
John Scott
jscott at posteo.net
Mon Jan 5 18:02:00 GMT 2026
Hi Security Team,
I'm not a member of the Debian GNOME Team nor do I have uploading privileges for this package, but for the sake of helping move this along and also for my own pleasure, I'm preparing a merge request to address this bug. I would like your acknowledgment that preparing an ordinary stable update is okay.
It was discovered in August that the Errands graphical task manager hard-codes in its source that no TLS certificate verification (hostname or otherwise) be done or attempted when connecting to CalDAV servers; any presented TLS certificate is always accepted. (CalDAV here usually uses HTTP Basic authentication, so TLS is the sole confidentiality layer.) At my request, the upstream author made a new release with addressing this as the only substantial change. No formal security advisory or vulnerability identifier was issued, and thus it's not in the Debian Security Tracker either. This has always been a non-confidential issue.
Can I have your affirmation that it's okay to proceed going the trixie-updates/Release Team route to upload a fix as if it were a non-security bug? I understand that your judgment is required before anyone (a GNOME Team member or myself) can commence an upload.
Thanks
See also:
• upstream issue at https://github.com/mrvladus/Errands/issues/401
• my description of the problem and informal request for advice on these types of issues on the debian-security mailing list at https://lists.debian.org/msgid-search/3e999822ca44723959d49c896c2c8861af1f10f9.camel%40posteo.net
-------------- next part --------------
An embedded message was scrubbed...
From: John Scott <jscott at posteo.net>
Subject: Re: Bug#1123738 Errands skipping TLS checks: can this be addressed in Trixie?
Date: Thu, 01 Jan 2026 18:22:35 -0500
Size: 2203
URL: <http://alioth-lists.debian.net/pipermail/pkg-gnome-maintainers/attachments/20260105/5d5b005c/attachment-0001.eml>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 411 bytes
Desc: This is a digitally signed message part
URL: <http://alioth-lists.debian.net/pipermail/pkg-gnome-maintainers/attachments/20260105/5d5b005c/attachment-0001.sig>
More information about the pkg-gnome-maintainers
mailing list