Several GNOME projects not performing TLS certificate verification

We'll want to get CVEs for most of these:

GNOME/libgrss#4 (CVE-2016-20011)
GNOME/libgda#249 (closed)
https://gitlab.gnome.org/GNOME/libzapojit/-/issues/4
https://gitlab.gnome.org/GNOME/evolution-rss/-/issues/11
GNOME/libgfbgraph#17 (closed)
GNOME/grilo#146 (closed)

There is also GNOME/frogr#6, but frogr is only affected when built against pre-2013 libsoup, so I don't think we need to request a CVE for frogr.

I also noticed that Empathy is using SoupSessionAsync without certificate verification, but it's only loading an http:// URL as part of a pastebin feature. So, although http:// is even worse than https:// without certificate verification, use of http:// indicates it is insecure by design, and therefore probably not worth a CVE.

Finally, there are a few notable non-GNOME projects that we care about:

https://github.com/intel/dleyna-server/issues/169
https://github.com/intel/dleyna-renderer/issues/171
https://github.com/mate-desktop/libmateweather/issues/96

We're not responsible for these, but I mention them here because it's useful for me to track them.

Edited May 25, 2021 by Michael Catanzaro