Several GNOME projects not performing TLS certificate verification
We'll want to get CVEs for most of these:
- GNOME/libgrss#4 (CVE-2016-20011)
- GNOME/libgda#249 (closed)
- GNOME/libgfbgraph#17 (closed)
- GNOME/grilo#146 (closed)
There is also GNOME/frogr#6, but frogr is only affected when built against pre-2013 libsoup, so I don't think we need to request a CVE for frogr.
I also noticed that Empathy is using SoupSessionAsync without certificate verification, but it's only loading an http:// URL as part of a pastebin feature. So, although http:// is even worse than https:// without certificate verification, use of http:// indicates it is insecure by design, and therefore probably not worth a CVE.
Finally, there are a few notable non-GNOME projects that we care about:
We're not responsible for these, but I mention them here because it's useful for me to track them.