Your message dated Sat, 04 Sep 2021 21:34:32 +0000
with message-id <[email protected]>
and subject line Bug#992971: fixed in grilo 0.3.13-1.1
has caused the Debian Bug report #992971,
regarding grilo: CVE-2021-39365
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
992971: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=992971
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: grilo
Version: 0.3.13-1
Severity: important
Tags: security upstream
Forwarded: https://gitlab.gnome.org/GNOME/grilo/-/issues/146
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: found -1 0.3.7-1
Hi,
The following vulnerability was published for grilo.
CVE-2021-39365[0]:
| In GNOME grilo though 0.3.13, grl-net-wc.c does not enable TLS
| certificate verification on the SoupSessionAsync objects it creates,
| leaving users vulnerable to network MITM attacks. NOTE: this is
| similar to CVE-2016-20011.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-39365
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39365
[1] https://gitlab.gnome.org/GNOME/grilo/-/issues/146
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: grilo
Source-Version: 0.3.13-1.1
Done: Salvatore Bonaccorso <[email protected]>
We believe that the bug you reported is fixed in the latest version of
grilo, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <[email protected]> (supplier of updated grilo package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 02 Sep 2021 23:05:13 +0200
Source: grilo
Architecture: source
Version: 0.3.13-1.1
Distribution: unstable
Urgency: medium
Maintainer: Alberto Garcia <[email protected]>
Changed-By: Salvatore Bonaccorso <[email protected]>
Closes: 992971
Changes:
grilo (0.3.13-1.1) unstable; urgency=medium
.
* Non-maintainer upload.
.
[ Alberto Garcia ]
* fix-tls-cert-validation.patch:
- Fix TLS cert validation not being done for any network call
(Closes: #992971, CVE-2021-39365).
Checksums-Sha1:
ba3bc0ed5fba3a45a283f7f770b229596349a755 2466 grilo_0.3.13-1.1.dsc
9ea068631ea8216e25e8eb91cc82c0cf90300c37 9360 grilo_0.3.13-1.1.debian.tar.xz
e8ae5a168fdafe90379ffd5b0bc1621a675c1df2 6597 grilo_0.3.13-1.1_source.buildinfo
Checksums-Sha256:
4a367a9bab8b12fabe60be94ef99470825c69bc5857082401ff6828e9c9bfaa1 2466
grilo_0.3.13-1.1.dsc
51776912491eb97188c118592177f21863df166ad4549db42ab40a735071dddf 9360
grilo_0.3.13-1.1.debian.tar.xz
7cd4856ee0a8ea06dd7642a55768ec5704d3ba50f539d9b3607c1256f949427d 6597
grilo_0.3.13-1.1_source.buildinfo
Files:
fef83b5db514f67e84a86ac69da3af54 2466 libs optional grilo_0.3.13-1.1.dsc
c279f9ec3c09d0013796b94fa4df1e4d 9360 libs optional
grilo_0.3.13-1.1.debian.tar.xz
554feed6d502638eca5cac6adb4eecd1 6597 libs optional
grilo_0.3.13-1.1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmExP1hfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EiqMQAIZXMBMFoh4EpcH4qB6qWOmFK/kyNhrU
/wWE+XzFuJyFkFMBPshLHEqOE4wANFRfoggz+3wS1oS65NUmkZ/pQ26cIZLvYQNR
ZasXf7QIhFwxvWme587YcfihLmfOoPctbdZJZsgdUGdixkIlcgLYhA6Zjpzp/6YY
U4RH8U/GxMEKDaXJbaElwOHnrP3CKD+EZZmF0qnzUvCfzuf4cEONBDBLIgPGWy1u
WVP+Pa9NCi5bx08HTDR0fqv3wpY07LFxs2H9sK5PgamsVnGRpfVCFJpkISQP6UIh
S17TbOo2WpVajjtb1D9J5E1rsa3Q294/eGimAEQHsWhVaGkkisuSUfhQnJlB6iD3
l9Devsq7Q8d0V/x6A1hItHyvWkNN2/+VgUZsuDCTZslhauIJJmSj+czIBWeOPkgq
8KHnkayD725PpuotD8Y4ieUOQRRFkMkE00pkW4JsFdEo2/Q86tOi7gOMfLI3/rGV
dZQAgrA3xeZf167FGPUmoEjor3Wzj+nKiFEoUOncvBYKcDwz9Sw+gtWG0ymRYQYd
v8Ud8voYA7Np6YG8Y5Y2hw672EZK+/k22bthBcU0nqem6jy23U6K0u/D8RekJ2cv
074veeH/JFBBHcQiM9+XYAy1WpbrKAspwRIbrlSKx6q4wecHSNALj09SPolQKFGG
bXlhh6jY+oa5
=3f40
-----END PGP SIGNATURE-----
--- End Message ---
