summaryrefslogtreecommitdiff
path: root/0002-net-Fix-TLS-cert-validation-not-being-done-for-any-n.patch
diff options
context:
space:
mode:
Diffstat (limited to '0002-net-Fix-TLS-cert-validation-not-being-done-for-any-n.patch')
-rw-r--r--0002-net-Fix-TLS-cert-validation-not-being-done-for-any-n.patch33
1 files changed, 33 insertions, 0 deletions
diff --git a/0002-net-Fix-TLS-cert-validation-not-being-done-for-any-n.patch b/0002-net-Fix-TLS-cert-validation-not-being-done-for-any-n.patch
new file mode 100644
index 0000000..743d4bc
--- /dev/null
+++ b/0002-net-Fix-TLS-cert-validation-not-being-done-for-any-n.patch
@@ -0,0 +1,33 @@
+From cd2472e506dafb1bb8ae510e34ad4797f63e263e Mon Sep 17 00:00:00 2001
+From: Bastien Nocera <hadess@hadess.net>
+Date: Mon, 21 Jun 2021 15:00:14 +0200
+Subject: [PATCH 2/2] net: Fix TLS cert validation not being done for any
+ network call
+
+The default SoupSessionAsync behaviour does not perform any TLS certificate
+validation, unless the ssl-use-system-ca-file property is set to true.
+
+See https://blogs.gnome.org/mcatanzaro/2021/05/25/reminder-soupsessionsync-and-soupsessionasync-default-to-no-tls-certificate-verification/
+
+This mitigates CVE-2016-20011.
+
+Closes: #146
+---
+ libs/net/grl-net-wc.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/libs/net/grl-net-wc.c b/libs/net/grl-net-wc.c
+index 5a8e89f..5ff1d17 100644
+--- a/libs/net/grl-net-wc.c
++++ b/libs/net/grl-net-wc.c
+@@ -314,6 +314,7 @@ grl_net_wc_init (GrlNetWc *wc)
+ wc->priv = grl_net_wc_get_instance_private (wc);
+
+ wc->priv->session = soup_session_async_new ();
++ g_object_set (G_OBJECT (wc->priv->session), "ssl-use-system-ca-file", TRUE, NULL);
+ wc->priv->pending = g_queue_new ();
+
+ set_thread_context (wc);
+--
+2.31.1
+
generated by cgit v1.2.3 (git 2.25.1) at 2025-05-31 01:56:14 +0000