CVE-2021-39365

Published: 22 August 2021

In GNOME grilo though 0.3.13, grl-net-wc.c does not enable TLS certificate verification on the SoupSessionAsync objects it creates, leaving users vulnerable to network MITM attacks. NOTE: this is similar to CVE-2016-20011.

Priority

Medium

CVSS 3 base score: 5.9

Status

Package Release Status
grilo
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.04 (Hirsute Hippo)
Released (0.3.13-1ubuntu0.1)
Ubuntu 20.04 LTS (Focal Fossa)
Released (0.3.12-1ubuntu0.1)
Ubuntu 18.04 LTS (Bionic Beaver)
Released (0.3.4-1ubuntu0.1)
Ubuntu 16.04 ESM (Xenial Xerus)
Released (0.2.15-1ubuntu0.1~esm1)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

Patches:
Upstream: https://gitlab.gnome.org/GNOME/grilo/-/commit/cd2472e506dafb1bb8ae510e34ad4797f63e263e