Hi Security Team, I'm not a member of the Debian GNOME Team nor do I have uploading privileges for this package, but for the sake of helping move this along and also for my own pleasure, I'm preparing a merge request to address this bug. I would like your acknowledgment that preparing an ordinary stable update is okay. It was discovered in August that the Errands graphical task manager hard-codes in its source that no TLS certificate verification (hostname or otherwise) be done or attempted when connecting to CalDAV servers; any presented TLS certificate is always accepted. (CalDAV here usually uses HTTP Basic authentication, so TLS is the sole confidentiality layer.) At my request, the upstream author made a new release with addressing this as the only substantial change. No formal security advisory or vulnerability identifier was issued, and thus it's not in the Debian Security Tracker either. This has always been a non-confidential issue.
Can I have your affirmation that it's okay to proceed going the trixie-updates/Release Team route to upload a fix as if it were a non-security bug? I understand that your judgment is required before anyone (a GNOME Team member or myself) can commence an upload. Thanks See also: • upstream issue at https://github.com/mrvladus/Errands/issues/401 • my description of the problem and informal request for advice on these types of issues on the debian-security mailing list at https://lists.debian.org/msgid-search/3e999822ca44723959d49c896c2c8861af1f10f9.camel%40posteo.net
--- Begin Message ---Thank you Matthias; I'm glad this issue was given scrutiny upstream and made into a new release which you uploaded to unstable. In my opinion, this is an important issue to fix in Trixie, and I think the upstream release should be appropriate as-is because it has minimal changes. Do you plan to get Release Team approval to make an upload to trixie-(proposed-)updates? It would be smart to let it migrate to testing and sit there for a few days first, I suppose. I can't make the official upload for this package as I'm not a Debian Developer, but if you would find it helpful, I'd be glad to stage changes on Salsa, test on Trixie, and secure Release Team approval for you. Let me know what your thoughts are.
signature.asc
Description: This is a digitally signed message part
--- End Message ---
signature.asc
Description: This is a digitally signed message part
