Bugzilla – Bug 1186594
VUL-0: CVE-2016-20011: libgrss: Does not perform TLS certificate validation
Last modified: 2022-08-23 08:05:15 UTC
libgrss through 0.7.0 fails to perform TLS certificate verification when downloading feeds, allowing remote attackers to manipulate the contents of feeds without detection. This occurs because of the default behavior of SoupSessionSync. References: https://bugzilla.gnome.org/show_bug.cgi?id=772647 https://gitlab.gnome.org/GNOME/libgrss/-/issues/4 References: https://bugzilla.redhat.com/show_bug.cgi?id=1965453 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-20011 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-20011 https://bugzilla.gnome.org/show_bug.cgi?id=772647 https://gitlab.gnome.org/GNOME/libgrss/-/issues/4
Affected packages: - SUSE:SLE-15:Update/libgrss 0.7.0 - openSUSE:Factory/libgrss 0.7.0 No patch has been released yet. The following are the affected lines: openSUSE:Factory/libgrss-0.7.0/src/feed-channel.c:1113: session = soup_session_async_new (); openSUSE:Factory/libgrss-0.7.0/src/feed-channel.c:1230: session = soup_session_async_new (); openSUSE:Factory/libgrss-0.7.0/src/feeds-subscriber.c:517: sub->priv->soupsession = soup_session_async_new (); openSUSE:Factory/libgrss-0.7.0/src/feed-enclosure.c:285: session = soup_session_async_new (); openSUSE:Factory/libgrss-0.7.0/src/feeds-publisher.c:884: pub->priv->soupsession = soup_session_async_new (); openSUSE:Factory/libgrss-0.7.0/src/feeds-pool.c:180: node->priv->soupsession = soup_session_async_new (); openSUSE:Factory/libgrss-0.7.0/src/feed-channel.c:1013: session = soup_session_sync_new (); openSUSE:Factory/libgrss-0.7.0/src/feed-channel.c:1143: session = soup_session_sync_new (); openSUSE:Factory/libgrss-0.7.0/src/feed-enclosure.c:222: session = soup_session_sync_new (); SUSE:SLE-15:Update/libgrss-0.7.0/src/feed-channel.c:1113: session = soup_session_async_new (); SUSE:SLE-15:Update/libgrss-0.7.0/src/feed-channel.c:1230: session = soup_session_async_new (); SUSE:SLE-15:Update/libgrss-0.7.0/src/feeds-subscriber.c:517: sub->priv->soupsession = soup_session_async_new (); SUSE:SLE-15:Update/libgrss-0.7.0/src/feed-enclosure.c:285: session = soup_session_async_new (); SUSE:SLE-15:Update/libgrss-0.7.0/src/feeds-publisher.c:884: pub->priv->soupsession = soup_session_async_new (); SUSE:SLE-15:Update/libgrss-0.7.0/src/feeds-pool.c:180: node->priv->soupsession = soup_session_async_new (); SUSE:SLE-15:Update/libgrss-0.7.0/src/feed-channel.c:1013: session = soup_session_sync_new (); SUSE:SLE-15:Update/libgrss-0.7.0/src/feed-channel.c:1143: session = soup_session_sync_new (); SUSE:SLE-15:Update/libgrss-0.7.0/src/feed-enclosure.c:222: session = soup_session_sync_new ();
(In reply to Gianluca Gabrielli from comment #1) > Affected packages: > - SUSE:SLE-15:Update/libgrss 0.7.0 > - openSUSE:Factory/libgrss 0.7.0 > > No patch has been released yet. > https://gitlab.gnome.org/GNOME/libgrss/-/merge_requests/7 I will submit the patch to our codebase once the MR is accepted.
SUSE:SLE-15-SP4:Update/libgrss is also affected.