Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package grilo for openSUSE:Factory checked in at 2021-09-03 21:25:33 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/grilo (Old) and /work/SRC/openSUSE:Factory/.grilo.new.1899 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "grilo" Fri Sep 3 21:25:33 2021 rev:44 rq:914555 version:0.3.13 Changes: -------- --- /work/SRC/openSUSE:Factory/grilo/grilo.changes 2020-09-10 22:45:14.739669036 +0200 +++ /work/SRC/openSUSE:Factory/.grilo.new.1899/grilo.changes 2021-09-03 21:25:40.098145242 +0200 @@ -1,0 +2,6 @@ +Fri Aug 27 02:32:18 UTC 2021 - Xiaoguang Wang <xiaoguang.w...@suse.com> + +- Add grilo-CVE-2021-39365.patch: Fix missing TLS certificate + verification(glgo#GNOME#grilo#146 bsc#1189839 CVE-2021-39365). + +------------------------------------------------------------------- New: ---- grilo-CVE-2021-39365.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ grilo.spec ++++++ --- /var/tmp/diff_new_pack.un4w8J/_old 2021-09-03 21:25:40.498145660 +0200 +++ /var/tmp/diff_new_pack.un4w8J/_new 2021-09-03 21:25:40.502145664 +0200 @@ -1,7 +1,7 @@ # # spec file for package grilo # -# Copyright (c) 2020 SUSE LLC +# Copyright (c) 2021 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -24,6 +24,8 @@ Group: Productivity/Multimedia/Other URL: https://live.gnome.org/Grilo Source0: https://download.gnome.org/sources/grilo/0.3/%{name}-%{version}.tar.xz +# PATCH-FIX-UPSTREAM grilo-CVE-2021-39365.patch glgo#GNOME#grilo#146 bsc#1189839 CVE-2021-39365 xw...@suse.com -- Fix missing TLS certificate verification +Patch0: grilo-CVE-2021-39365.patch BuildRequires: fdupes BuildRequires: gtk-doc ++++++ grilo-CVE-2021-39365.patch ++++++ >From cd2472e506dafb1bb8ae510e34ad4797f63e263e Mon Sep 17 00:00:00 2001 From: Bastien Nocera <had...@hadess.net> Date: Mon, 21 Jun 2021 15:00:14 +0200 Subject: [PATCH] net: Fix TLS cert validation not being done for any network call The default SoupSessionAsync behaviour does not perform any TLS certificate validation, unless the ssl-use-system-ca-file property is set to true. See https://blogs.gnome.org/mcatanzaro/2021/05/25/reminder-soupsessionsync-and-soupsessionasync-default-to-no-tls-certificate-verification/ This mitigates CVE-2016-20011. Closes: #146 --- libs/net/grl-net-wc.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libs/net/grl-net-wc.c b/libs/net/grl-net-wc.c index 5a8e89f5..5ff1d177 100644 --- a/libs/net/grl-net-wc.c +++ b/libs/net/grl-net-wc.c @@ -314,6 +314,7 @@ grl_net_wc_init (GrlNetWc *wc) wc->priv = grl_net_wc_get_instance_private (wc); wc->priv->session = soup_session_async_new (); + g_object_set (G_OBJECT (wc->priv->session), "ssl-use-system-ca-file", TRUE, NULL); wc->priv->pending = g_queue_new (); set_thread_context (wc); -- GitLab
