Your message dated Thu, 02 Sep 2021 19:47:13 +0000
with message-id <[email protected]>
and subject line Bug#992971: fixed in grilo 0.3.13-1+deb11u1
has caused the Debian Bug report #992971,
regarding grilo: CVE-2021-39365
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
992971: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=992971
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: grilo
Version: 0.3.13-1
Severity: important
Tags: security upstream
Forwarded: https://gitlab.gnome.org/GNOME/grilo/-/issues/146
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: found -1 0.3.7-1
Hi,
The following vulnerability was published for grilo.
CVE-2021-39365[0]:
| In GNOME grilo though 0.3.13, grl-net-wc.c does not enable TLS
| certificate verification on the SoupSessionAsync objects it creates,
| leaving users vulnerable to network MITM attacks. NOTE: this is
| similar to CVE-2016-20011.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-39365
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39365
[1] https://gitlab.gnome.org/GNOME/grilo/-/issues/146
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: grilo
Source-Version: 0.3.13-1+deb11u1
Done: Alberto Garcia <[email protected]>
We believe that the bug you reported is fixed in the latest version of
grilo, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Alberto Garcia <[email protected]> (supplier of updated grilo package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 26 Aug 2021 23:10:58 +0200
Source: grilo
Architecture: source
Version: 0.3.13-1+deb11u1
Distribution: bullseye-security
Urgency: high
Maintainer: Alberto Garcia <[email protected]>
Changed-By: Alberto Garcia <[email protected]>
Closes: 992971
Changes:
grilo (0.3.13-1+deb11u1) bullseye-security; urgency=high
.
* fix-tls-cert-validation.patch:
- Fix TLS cert validation not being done for any network call
(Closes: #992971, CVE-2021-39365).
Checksums-Sha1:
754753bdf24c79917eb0ae70bae86dd98d4f5bfc 2335 grilo_0.3.13-1+deb11u1.dsc
aa5f1fd521727c4aeb02b7c6af46930b12183083 236420 grilo_0.3.13.orig.tar.xz
9f9377a46611144938b3d1b756ec2a8b0673231b 9356
grilo_0.3.13-1+deb11u1.debian.tar.xz
6d896e5c78718954b0d79936bf553084f39fd171 15560
grilo_0.3.13-1+deb11u1_source.buildinfo
Checksums-Sha256:
95e51c234a1627cc8346caec98e3c7a100f4179a3914391bdfe6baad1735b79d 2335
grilo_0.3.13-1+deb11u1.dsc
d14837f22341943ed8a189d9f0827a17016b802d18d0ed080e1413de0fdc927b 236420
grilo_0.3.13.orig.tar.xz
ed49e0a9989983f89a3bd9ff4ad05c6a86693a80942200378c87639f79f34cbe 9356
grilo_0.3.13-1+deb11u1.debian.tar.xz
d69259858dfc1f9d2c3fcb5d67020cf222c329ca0d428a56db221f25e561df86 15560
grilo_0.3.13-1+deb11u1_source.buildinfo
Files:
3bd6646fcaa839c2b5452b5670704e6c 2335 libs optional grilo_0.3.13-1+deb11u1.dsc
737b76fc194878eac2ca45a78175aa9f 236420 libs optional grilo_0.3.13.orig.tar.xz
88014c4aee1aea6b5085f5e4cb3ebd88 9356 libs optional
grilo_0.3.13-1+deb11u1.debian.tar.xz
9b42e4e84d74f27cd314568844584319 15560 libs optional
grilo_0.3.13-1+deb11u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEYrwugQBKzlHMYFizAAyEYu0C2AIFAmEoBMoACgkQAAyEYu0C
2AIYCxAAifgZ8Et4kolufWQm+40xHmXYdUOBPlxlhqn7Vcm11ZIoDIpWSfdHkmzK
iQSkyPX9F6er6OaMguUrbeNgQ9wmuALhSq8+dD1qC9rMenHpL85P87GQbG1JslX7
FWUOZg47hhefs6gh6qfp2AqwyIrkCx6cJ+rzPGeg4OY7NhrvL19ItjVQzTwdFm6O
gqL+gCr8kguqQ+sufxwuD/F/ffIpDLJ0u8/MHOWYI4+66KlnXwK3Wk71kWQheRuq
el/Yo9f8htg1tv2s26CgFqq9WMgLstnj37h3064h+viOKJYGyGd1fuGEb3WmcJck
rQ/w29jJctusLa3cXBNx0txvhPPUYwcP1T96r7jhyVyneekbtSYYDYNMo9yalgEI
l6KlqTPpUZ1S6Jx47JADBvEz5JTUY6s+2GHFygSa4AgB8Po2GydewNyZQCTwFpdp
3A3vOW4RTl9inzJRt6mdzlLEeOJ/XbTDV9orr4dZdfd2gveAOz8Vvf+HAMithUCX
P5erabfMQV3PifREWbHpTEwjepIDRymMLi3FqLoHF17eqOvteJrvpB1jQqbG9yCP
xfI8pi9Al0i3VwDXgNOllBSx3ZNcWIybH6hhY0Xj9K0euLPPW2SY1qJgGXwfuzQL
tYRazJpCDFC/2+ar9RREmLHJXKcTL0YeZrC+iuruysEunDCfUKQ=
=dWHO
-----END PGP SIGNATURE-----
--- End Message ---
