#1123738 TLS certificates for CalDAV servers are always trusted and not checked for validity (CVE-2025-71063)

Package:
errands
Source:
errands
Submitter:
John Scott
Date:
2026-05-23 10:19:01 UTC
Severity:
normal
Tags:
#1123738#5
Date:
2025-12-20 19:30:13 UTC
From:
To:
Having solicited informal opinions from the Debian security mailing list (attached), I'm filing this report to keep an eye on the issue. To summarize, Errands is able to synchronize a user's task and to-do list data using the CalDAV protocol, a superset of HTTP. Credentials may be retrieved from GNOME Online Accounts where setting up CalDAV is already possible, or information can be entered directly in Errands. This consists of a URL (usually HTTPS) and username/password authentication credentials. It is typical for major providers to use HTTP Basic authentication which sends credentials in plain form and relying on TLS to authenticate the server's identity and encrypt data in transit. In its source code, Errands explicitly specifies 'ssl_verify_cert=False' unconditionally when using a Python CalDAV library. It appears this allows it to accept any certificate whatsoever, even from a malicious man-in-the-middle, without notice to the user.
The author doesn't remember why this was needed, but enabling certificate checking works fine for me with a server and my suspicion is the author had a particular service that wasn't doing things properly. Disabling this security check for all users unconditionally and without notice is not an appropriate fix for a compatibility issue. Any genuine client-side bug that would cause certificate verification to unduly fail is most likely in a dependency and is a concern to be separated from Errands.

The author rewrote Errands in C and development focus has shifted there. For Trixie at least, this needs to be handled. I've articulated the risks on the upstream issue to encourage the author to investigate but patching this downstream is trivial. To assess if breakage is likely, a detective might wish to check bug reports for the libraries that Errands depends on (namely the CalDAV one) to see if there are known shortcomings in TLS being handled correctly.

For whatever it's worth, the GNOME ecosystem has decided that disabling TLS certificate verification should never be done in legitimate usage and so (if I recall correctly) GLib/GIO and/or libsoup have been removing any parameters in their API that would allow this to be turned off or making then no-ops. As Errands is part of the GNOME Circle ecosystem and can integrate with GNOME Online Accounts, there is precedent for even a very firm stance on certificate verification.
#1123738#12
Date:
2025-12-29 21:57:51 UTC
From:
To:
#1123738#17
Date:
2026-01-01 23:22:38 UTC
From:
To:
Thank you Matthias; I'm glad this issue was given scrutiny upstream and made into a new release which you uploaded to unstable.

In my opinion, this is an important issue to fix in Trixie, and I think the upstream release should be appropriate as-is because it has minimal changes. Do you plan to get Release Team approval to make an upload to trixie-(proposed-)updates? It would be smart to let it migrate to testing and sit there for a few days first, I suppose.
I can't make the official upload for this package as I'm not a Debian Developer, but if you would find it helpful, I'd be glad to stage changes on Salsa, test on Trixie, and secure Release Team approval for you. Let me know what your thoughts are.
#1123738#22
Date:
2026-01-05 18:02:00 UTC
From:
To:
Hi Security Team,
I'm not a member of the Debian GNOME Team nor do I have uploading privileges for this package, but for the sake of helping move this along and also for my own pleasure, I'm preparing a merge request to address this bug. I would like your acknowledgment that preparing an ordinary stable update is okay.
It was discovered in August that the Errands graphical task manager hard-codes in its source that no TLS certificate verification (hostname or otherwise) be done or attempted when connecting to CalDAV servers; any presented TLS certificate is always accepted. (CalDAV here usually uses HTTP Basic authentication, so TLS is the sole confidentiality layer.) At my request, the upstream author made a new release with addressing this as the only substantial change. No formal security advisory or vulnerability identifier was issued, and thus it's not in the Debian Security Tracker either. This has always been a non-confidential issue.

Can I have your affirmation that it's okay to proceed going the trixie-updates/Release Team route to upload a fix as if it were a non-security bug? I understand that your judgment is required before anyone (a GNOME Team member or myself) can commence an upload.
Thanks

See also:
 • upstream issue at https://github.com/mrvladus/Errands/issues/401
 • my description of the problem and informal request for advice on these types of issues on the debian-security mailing list at https://lists.debian.org/msgid-search/3e999822ca44723959d49c896c2c8861af1f10f9.camel%40posteo.net
#1123738#27
Date:
2026-01-11 17:48:25 UTC
From:
To:
Hello,

It seems like everyone has accidentally missed the mails I've been sending to that original report like https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1123738#17 (attached for your convenience). I'm invested in this issue as the original submitter and having articulated the security risks upstream. Except for translation updates that TLS-related fix is the only substantial change in the newer upstream releases (because most upstream activity has shifted to the C rewrite), so I think going from 46.2.8 to 46.2.10 is appropriate for trixie-updates.
I'm not a Debian Developer and don't have uploading rights for Errands, so if you would sponsor the final package upload, I'd love to take charge of all else:
 • send a merge request in Salsa which I'm almost finished with to have 46.2.10 for Trixie
 • ask the Release Team for approval for trixie-updates, with an assessment of the risks
	◦ As a formality, I still need to hear back from the Security Team that this doesn't need to go into their queue instead https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1123738#22

I do agree that this would be inappropriate as a backport.

Thank you
#1123738#32
Date:
2026-01-11 18:38:24 UTC
From:
To:
I wrote last week:

Per https://www.debian.org/doc/manuals/developers-reference/pkgs.en.html#xpointer(//*%5B@id=%22uploading-the-fixed-package%22%5D/p%5B2%5D) I need the Security Team's consent to go ahead. There is no CVE or identifier for this issue. (If you think there should be, perhaps to help other distros identify they should pick up the fix, I ask that you address that with the Errands upstream project.) I would appreciate your response.
#1123738#37
Date:
2026-01-12 11:46:36 UTC
From:
To:
Please go ahead!

I think assigning a CVE ID would be useful. I'll request one and get back to you and report
it to upstream via https://github.com/mrvladus/Errands/issues/401

Cheers,
        Moritz
#1123738#54
Date:
2026-05-23 10:17:06 UTC
From:
To:
We believe that the bug you reported is fixed in the latest version of
errands, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1123738@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Adrian Bunk <bunk@debian.org> (supplier of updated errands package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Fri, 22 May 2026 12:46:18 +0300
Source: errands
Architecture: source
Version: 46.2.8-1+deb13u1
Distribution: trixie
Urgency: medium
Maintainer: Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>
Changed-By: Adrian Bunk <bunk@debian.org>
Closes: 1123738
Changes:
 errands (46.2.8-1+deb13u1) trixie; urgency=medium
 .
   * Non-maintainer upload.
   * CVE-2025-71063: TLS certificates for CalDAV servers were not verified
     (Closes: #1123738)
Checksums-Sha1:
 fe8263b443e3255a119b8e32c512b86ef7d7fe00 2215 errands_46.2.8-1+deb13u1.dsc
 7f92f744cfc041964b7b86add47b63a9decc00fb 226568 errands_46.2.8.orig.tar.gz
 1e501aaec918f36532569af0617613de7ca3357a 9360 errands_46.2.8-1+deb13u1.debian.tar.xz
Checksums-Sha256:
 c376c1b84c4eb535a61aee01e53dc42fa1619d32e5f4f91dc68b65bfe3e69bff 2215 errands_46.2.8-1+deb13u1.dsc
 21bbdde35062ddf5d71bee2db9f9f4433cf4791295f710d8e8cf0b8659d52a22 226568 errands_46.2.8.orig.tar.gz
 fd5a7961871cf09d3ecdb22b5ec83fd3b7dd21d0a5ed13a049228626f18e92dd 9360 errands_46.2.8-1+deb13u1.debian.tar.xz
Files:
 013d9d4b03698b6273052773c6707eef 2215 gnome optional errands_46.2.8-1+deb13u1.dsc
 10c3592691794970df25fee346f38638 226568 gnome optional errands_46.2.8.orig.tar.gz
 68ddea4037060390575018e5c10c3d39 9360 gnome optional errands_46.2.8-1+deb13u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmoQKJ4ACgkQiNJCh6LY
mLF0Ow/+MDb1Po32KVSBXUo7z8gtfRRX+HBq4DU/EyM7ZD0GTbx3qe1rDFT4BxP2
+P3lxBQk8rGGRNI8pivElyX1YPyDanyVopthzfyIqjlmzPzorW3LSbxgBo/zLLtQ
6KiC9C2+mmr8IgGmEwl/dAjON4XCTsDQcvFWTCejZxz6fPEs0QPu6R8S0WvOTgOo
i0oOWeulqu0+yRQFfhAEgmku4JGE1/40skqQS78gfdXH3SRAAzJh5G1J0gK8OeGH
/kJdR4j5DeajC+zAzDhGNOBc8xeB6a+kjuV5hB2MdZDDXSCvP6zuCCa8RDIuJKJr
J1LpYnHaMiZEjFm+2L6gzW6Si3SHHfZh3SPX8X0bTf28xxOP0O/LHjMXLKHnamvS
QETiYnWn7cSPmfwrqhg0bwwvTkP0AqHN568wgsb6zBzfE9wRxQVGoeGxHMDH6PVr
KMDLwAHDZbDoRn1EBEXXhQHUSliVMlllqeO70Cc+AnaPlHmv8T2WTvb3U/k4dM5T
xDmdB1tpA0/frqUobMKL1ce742X9CwLI6kAzR5RVFK8u5/aUU7wxui/e7twPSp9B
MY5Dbhv7qHKTZ6J4OvVYDjiC6CS3MUy+6ookmPaq0XjtexEY3cArO9obwmTO0jCG
qt8CBOqVfgbzL8FpL2m6K0ghWxCx/KOmGYO4YpiBMtedmx97YUc=
=E7Hr
-----END PGP SIGNATURE-----