Hi, On Mon, Dec 09, 2024 at 08:01:32PM +0000, Rebecca N. Palmer wrote: > This *probably* doesn't affect Debian stable (5.2.10-3) and later, as they > were built --without-libsoup (to avoid an unrelated crash, #1017528), and > the description and upstream fix suggest that the vulnerable functionality > requires libsoup. Is this enough evidence to mark it as non-vulnerable in > the security tracker, and if so, what is the process for doing so? > > It probably does affect oldstable and earlier, but given its 'minor' status > in the security tracker, this might not be worth fixing. As noted earlier > in the bug, it has been properly fixed in unstable.
As we track it on source-code level, not not-affected, but if the issue has not an impact we might change it to <ignored> rather than <no-dsa> and put it away from the radar. But what happens if built with --without-libsoup, I guess then TLS certificate validation is absent as well what are the consequences? Regards, Salvatore
