Opened 3 years ago

Closed 3 years ago

#15448 closed enhancement (fixed)


Reported by: Douglas R. Reno Owned by: Bruce Dubbs
Priority: elevated Milestone: 11.0
Component: BOOK Version: git
Severity: normal Keywords:


New minor version

Change History (6)

comment:1 by Douglas R. Reno, 3 years ago

Milestone: 11.111.0

Promote back to 11.0.

comment:2 by ken@…, 3 years ago

Priority: normalelevated
Changes in libsoup from 2.72.0 to 2.74.0:

	* IMPORTANT: Enable ssl-use-system-ca-file by default on deprecated
	  Sync and Async sessions [Patrick Griffis]
	  See here for details:

	* Fix including headers in C++ projects [Patrick Griffis]

	* Fix attempting to resolve relative paths with data URIs [Ryan Gonzalez]

	* Support Content-Disposition headers without a disposition-type [Patrick Griffis]

	* Fix building VAPI bindings with latest Vala [Rico Tzschichholz]

	* Fix sending a Content-Length header in a response with status code of 1xx or 204
	  [Ignacio Casal Quinteiro]

	* Updated translations: Occitan, Persian, Nepali, Belarusian, Greek, British English,

The first part of that commit says:

 Enable ssl-use-system-ca-file on deprecated Sync and Async sessions

The default was disabled for backwards compatability however it
was an unsafe default and many projects unknowingly did not enable

This is a break in behavior however the security concerns are important.
The belief that all projects would switch to the safer SoupSession
didn't happen and the number of under-maintained projects is too
many to fix quickly.

This brings a base level of security to all of them and will likely
not actually break much as the modern internet depends on CAs heavily.

(further details there if things do break).

I guess that makes it a security fix.

comment:3 by ken@…, 3 years ago

I can't take this, don't have apache, kerberos, php, samba on the machines where I use libsoup so cannot run the tests.

I also use '-Dsysprof=disabled' instead of that recommended dep.

Oh, and the 'security fix' aspect is like 'expat' - tightening up rather than a specific vulnerability, so maybe not worth mentioning in an advisory.

comment:4 by Bruce Dubbs, 3 years ago

Owner: changed from blfs-book to Bruce Dubbs
Status: newassigned

comment:5 by Bruce Dubbs, 3 years ago

This package wants to do a git fetch of sysconf if git is available. git has a long message about the root of the tree not being called 'master'. It's a politically correct thing in the US. I will disable it with -Dsysprof=disabled. We don't need profiling.

comment:6 by Bruce Dubbs, 3 years ago

Resolution: fixed
Status: assignedclosed
Note: See TracTickets for help on using tickets.