Opened 3 years ago
Closed 3 years ago
New minor version
Promote back to 11.0.
Changes in libsoup from 2.72.0 to 2.74.0:
* IMPORTANT: Enable ssl-use-system-ca-file by default on deprecated
Sync and Async sessions [Patrick Griffis]
See here for details:
* Fix including headers in C++ projects [Patrick Griffis]
* Fix attempting to resolve relative paths with data URIs [Ryan Gonzalez]
* Support Content-Disposition headers without a disposition-type [Patrick Griffis]
* Fix building VAPI bindings with latest Vala [Rico Tzschichholz]
* Fix sending a Content-Length header in a response with status code of 1xx or 204
[Ignacio Casal Quinteiro]
* Updated translations: Occitan, Persian, Nepali, Belarusian, Greek, British English,
The first part of that commit says:
Enable ssl-use-system-ca-file on deprecated Sync and Async sessions
The default was disabled for backwards compatability however it
was an unsafe default and many projects unknowingly did not enable
This is a break in behavior however the security concerns are important.
The belief that all projects would switch to the safer SoupSession
didn't happen and the number of under-maintained projects is too
many to fix quickly.
This brings a base level of security to all of them and will likely
not actually break much as the modern internet depends on CAs heavily.
(further details there if things do break).
I guess that makes it a security fix.
I can't take this, don't have apache, kerberos, php, samba on the machines where I use libsoup so cannot run the tests.
I also use '-Dsysprof=disabled' instead of that recommended dep.
Oh, and the 'security fix' aspect is like 'expat' - tightening up rather than a specific vulnerability, so maybe not worth mentioning in an advisory.
This package wants to do a git fetch of sysconf if git is available. git has a long message about the root of the tree not being called 'master'. It's a politically correct thing in the US. I will disable it with -Dsysprof=disabled. We don't need profiling.
Fixed at commit 296dce9a08d154aa0dd19630e807bd7716c42624
Powered by Trac 1.5.3.dev0
By Edgewall Software
© 1998-2024 Gerard Beekmans.