CVE-2021-39365: 
NixOS vulnerability analysis and mitigation

CVE-2021-39365 affects GNOME grilo through version 0.3.13, where the grl-net-wc.c component fails to enable TLS certificate verification on SoupSessionAsync objects. This vulnerability was discovered in May 2021 and publicly disclosed in August 2021. The issue affects multiple Linux distributions including Debian and Ubuntu that use the GNOME grilo framework for discovering and browsing media (GNOME Blog, NVD).

The vulnerability stems from the lack of TLS certificate verification in SoupSessionAsync objects created by the grl-net-wc.c component. This is related to the older, deprecated SoupSessionSync and SoupSessionAsync subclasses of SoupSession that do not implement secure defaults. The issue has been assigned a CVSS v3.1 Base Score of 5.9 (Medium) with vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N. The vulnerability is classified as CWE-295 (Improper Certificate Validation) (NVD).

The vulnerability leaves users susceptible to network Man-in-the-Middle (MITM) attacks due to the lack of TLS certificate verification. This could potentially allow attackers to intercept and view sensitive information transmitted between the application and network services (Debian Advisory).

The issue has been fixed in multiple distributions: Debian 9 (Stretch) in version 0.3.2-2+deb9u1, Debian 10 (Buster) in version 0.3.7-1+deb10u1, and Debian 11 (Bullseye) in version 0.3.13-1+deb11u1. Users are recommended to upgrade their grilo packages to these patched versions. The vulnerability is also addressed in libsoup3, where the affected APIs have been removed (Debian LTS, Debian Advisory).

The vulnerability was initially highlighted in a blog post by Michael Catanzaro, who emphasized the importance of proper TLS certificate verification. The community response led to the decision to change this behavior in newer versions, and the affected APIs have been deprecated since libsoup 2.42 in 2013 (GNOME Blog).