#13589: glib-networking-2.64.3
-------------------------+-----------------------
Reporter: renodr | Owner: blfs-book
Type: enhancement | Status: new
Priority: high | Milestone: 9.2
Component: BOOK | Version: SVN
Severity: normal | Keywords:
-------------------------+-----------------------
New point version to fix a critical security vulnerability. This
vulnerability was first discovered by the Balsa developers.
{{{
When the server-identity property of GTlsClientConnection is unset, the
documentation says we need to fail the certificate verification with
G_TLS_CERTIFICATE_BAD_IDENTITY:
If the G_TLS_CERTIFICATE_BAD_IDENTITY flag is set in “validation-
flags”, this object will be used to determine the expected identify of the
remote end of the connection; if “server-identity” is not set, or does not
match the identity presented by the server, then the
G_TLS_CERTIFICATE_BAD_IDENTITY validation will fail.
This is important because otherwise, it's easy for applications to fail to
specify server identity. When server identity is missing, we check the
validity of the TLS certificate but do not check if it corresponds to the
expected server. That is, evil.com can present a valid certificate issued
to evil.com, and we will happily accept it for paypal.com.
This was discovered in balsa#34 (closed).
}}}
[https://gitlab.gnome.org/GNOME/glib-networking/-/issues/135]
[https://blogs.gnome.org/mcatanzaro/2020/05/27/disrupted-cve-assignment-
process/]
This is being tracked as CVE-2020-13645.
The release notes for glib-networking-2.64.3 are:
{{{
News
====
- Revert warning when server-identity property is unset (#130)
- Fix CVE-2020-13645, fail connections when server identity is unset
(#135)
}}}
--
Ticket URL: <http://wiki.linuxfromscratch.org/blfs/ticket/13589>
BLFS Trac <http://wiki.linuxfromscratch.org/blfs>
Beyond Linux From Scratch
--
http://lists.linuxfromscratch.org/listinfo/blfs-book
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
