Bug 1189844 - (CVE-2021-39360) VUL-0: CVE-2021-39360: libzapojit: missing TLS certificate verification
(CVE-2021-39360)
VUL-0: CVE-2021-39360: libzapojit: missing TLS certificate verification
Status: NEW
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Major
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/307797/
CVSSv3.1:SUSE:CVE-2021-39360:7.5:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-08-26 14:41 UTC by Gianluca Gabrielli
Modified: 2022-09-14 15:25 UTC (History)
6 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Gianluca Gabrielli 2021-08-26 14:42:01 UTC
Potential affected packages:
 - SUSE:SLE-12:Update/libzapojit             0.0.3
 - SUSE:SLE-15:Update/libzapojit             0.0.3
 - openSUSE:Factory/libzapojit               0.0.3
 - openSUSE:Backports:SLE-15-SP2/libzapojit  0.0.3

No patch is available yet.
Comment 2 Hu 2022-08-08 14:24:45 UTC
There is now a fix: https://gitlab.gnome.org/Archive/libzapojit/-/merge_requests/3/diffs

Could you please submit for the codestreams mentioned by Gianluca?
Thank you very much :)
Comment 3 Thomas Leroy 2022-09-06 12:09:15 UTC
(In reply to Gianluca Gabrielli from comment #1)
> Potential affected packages:
>  - SUSE:SLE-12:Update/libzapojit             0.0.3
>  - SUSE:SLE-15:Update/libzapojit             0.0.3


Hi, any news?
Comment 4 Yifan Jiang 2022-09-07 01:10:19 UTC
Hi Cliff,

Could you help on the submission please? Thanks.
Comment 5 Yifan Jiang 2022-09-07 03:20:24 UTC
Cliff just reminded me Mike Gorse is actually in the middle of handling this:

https://build.opensuse.org/request/show/1001523

So I am redirecting the credit to Mike.
Comment 6 OBSbugzilla Bot 2022-09-07 15:40:03 UTC
This is an autogenerated message for OBS integration:
This bug (1189844) was mentioned in
https://build.opensuse.org/request/show/1001783 Backports:SLE-15-SP2 / libzapojit
Comment 8 Swamp Workflow Management 2022-09-14 10:22:29 UTC
SUSE-SU-2022:3266-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1189844
CVE References: CVE-2021-39360
JIRA References: 
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP5 (src):    libzapojit-0.0.3-5.3.1
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    libzapojit-0.0.3-5.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Swamp Workflow Management 2022-09-14 10:39:35 UTC
SUSE-SU-2022:3267-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1189844
CVE References: CVE-2021-39360
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    libzapojit-0.0.3-150000.3.5.1
SUSE Linux Enterprise Workstation Extension 15-SP3 (src):    libzapojit-0.0.3-150000.3.5.1
SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3 (src):    libzapojit-0.0.3-150000.3.5.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.