Bugzilla – Bug 1189844
VUL-0: CVE-2021-39360: libzapojit: missing TLS certificate verification
Last modified: 2024-05-13 17:11:02 UTC
In GNOME libzapojit through 0.0.3, zpj-skydrive.c does not enable TLS certificate verification on the SoupSessionSync objects it creates, leaving users vulnerable to network MITM attacks. NOTE: this is similar to CVE-2016-20011. References: https://gitlab.gnome.org/GNOME/libzapojit/-/issues/4 https://blogs.gnome.org/mcatanzaro/2021/05/25/reminder-soupsessionsync-and-soupsessionasync-default-to-no-tls-certificate-verification/ References: https://bugzilla.redhat.com/show_bug.cgi?id=1997152 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-39360 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39360 http://www.cvedetails.com/cve/CVE-2021-39360/ https://blogs.gnome.org/mcatanzaro/2021/05/25/reminder-soupsessionsync-and-soupsessionasync-default-to-no-tls-certificate-verification/ https://gitlab.gnome.org/GNOME/libzapojit/-/issues/4
Potential affected packages: - SUSE:SLE-12:Update/libzapojit 0.0.3 - SUSE:SLE-15:Update/libzapojit 0.0.3 - openSUSE:Factory/libzapojit 0.0.3 - openSUSE:Backports:SLE-15-SP2/libzapojit 0.0.3 No patch is available yet.
There is now a fix: https://gitlab.gnome.org/Archive/libzapojit/-/merge_requests/3/diffs Could you please submit for the codestreams mentioned by Gianluca? Thank you very much :)
(In reply to Gianluca Gabrielli from comment #1) > Potential affected packages: > - SUSE:SLE-12:Update/libzapojit 0.0.3 > - SUSE:SLE-15:Update/libzapojit 0.0.3 Hi, any news?
Hi Cliff, Could you help on the submission please? Thanks.
Cliff just reminded me Mike Gorse is actually in the middle of handling this: https://build.opensuse.org/request/show/1001523 So I am redirecting the credit to Mike.
This is an autogenerated message for OBS integration: This bug (1189844) was mentioned in https://build.opensuse.org/request/show/1001783 Backports:SLE-15-SP2 / libzapojit
SUSE-SU-2022:3266-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1189844 CVE References: CVE-2021-39360 JIRA References: Sources used: SUSE Linux Enterprise Workstation Extension 12-SP5 (src): libzapojit-0.0.3-5.3.1 SUSE Linux Enterprise Software Development Kit 12-SP5 (src): libzapojit-0.0.3-5.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:3267-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1189844 CVE References: CVE-2021-39360 JIRA References: Sources used: openSUSE Leap 15.3 (src): libzapojit-0.0.3-150000.3.5.1 SUSE Linux Enterprise Workstation Extension 15-SP3 (src): libzapojit-0.0.3-150000.3.5.1 SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3 (src): libzapojit-0.0.3-150000.3.5.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.