Opened 3 years ago
Closed 3 years ago
#15448 closed enhancement (fixed)
libsoup-2.74.0
| Reported by: | Douglas R. Reno | Owned by: | Bruce Dubbs |
|---|---|---|---|
| Priority: | elevated | Milestone: | 11.0 |
| Component: | BOOK | Version: | git |
| Severity: | normal | Keywords: | |
| Cc: |
Description
New minor version
Change History (6)
comment:1 by , 3 years ago
| Milestone: | 11.1 → 11.0 |
|---|
comment:2 by , 3 years ago
| Priority: | normal → elevated |
|---|
Changes in libsoup from 2.72.0 to 2.74.0: * IMPORTANT: Enable ssl-use-system-ca-file by default on deprecated Sync and Async sessions [Patrick Griffis] See here for details: https://gitlab.gnome.org/GNOME/libsoup/-/commit/71ca70a0f62cfc30dfacfd2ee0952a86e2e64055 * Fix including headers in C++ projects [Patrick Griffis] * Fix attempting to resolve relative paths with data URIs [Ryan Gonzalez] * Support Content-Disposition headers without a disposition-type [Patrick Griffis] * Fix building VAPI bindings with latest Vala [Rico Tzschichholz] * Fix sending a Content-Length header in a response with status code of 1xx or 204 [Ignacio Casal Quinteiro] * Updated translations: Occitan, Persian, Nepali, Belarusian, Greek, British English, Portuguese
The first part of that commit says:
Enable ssl-use-system-ca-file on deprecated Sync and Async sessions The default was disabled for backwards compatability however it was an unsafe default and many projects unknowingly did not enable it. This is a break in behavior however the security concerns are important. The belief that all projects would switch to the safer SoupSession didn't happen and the number of under-maintained projects is too many to fix quickly. This brings a base level of security to all of them and will likely not actually break much as the modern internet depends on CAs heavily.
(further details there if things do break).
I guess that makes it a security fix.
comment:3 by , 3 years ago
I can't take this, don't have apache, kerberos, php, samba on the machines where I use libsoup so cannot run the tests.
I also use '-Dsysprof=disabled' instead of that recommended dep.
Oh, and the 'security fix' aspect is like 'expat' - tightening up rather than a specific vulnerability, so maybe not worth mentioning in an advisory.
comment:4 by , 3 years ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
comment:5 by , 3 years ago
This package wants to do a git fetch of sysconf if git is available. git has a long message about the root of the tree not being called 'master'. It's a politically correct thing in the US. I will disable it with -Dsysprof=disabled. We don't need profiling.
comment:6 by , 3 years ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
Fixed at commit 296dce9a08d154aa0dd19630e807bd7716c42624
Promote back to 11.0.