Your message dated Fri, 03 Jul 2020 16:48:47 +0000
with message-id <[email protected]>
and subject line Bug#961756: fixed in glib-networking 2.64.3-1
has caused the Debian Bug report #961756,
regarding glib-networking: CVE-2020-13645: GTlsClientConnection silently
ignores unset server identity
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
961756: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=961756
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: glib-networking
Version: 2.64.2-1
Severity: important
Tags: security upstream
Forwarded: https://gitlab.gnome.org/GNOME/glib-networking/-/issues/135
Hi,
The following vulnerability was published for glib-networking.
CVE-2020-13645[0]:
| In GNOME glib-networking through 2.64.2, the implementation of
| GTlsClientConnection skips hostname verification of the server's TLS
| certificate if the application fails to specify the expected server
| identity. This is in contrast to its intended documented behavior, to
| fail the certificate verification. Applications that fail to provide
| the server identity, including Balsa before 2.5.11 and 2.6.x before
| 2.6.1, accept a TLS certificate if the certificate is valid for any
| host.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-13645
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13645
[1] https://gitlab.gnome.org/GNOME/glib-networking/-/issues/135
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: glib-networking
Source-Version: 2.64.3-1
Done: Simon McVittie <[email protected]>
We believe that the bug you reported is fixed in the latest version of
glib-networking, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Simon McVittie <[email protected]> (supplier of updated glib-networking package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 03 Jul 2020 15:25:22 +0100
Source: glib-networking
Architecture: source
Version: 2.64.3-1
Distribution: experimental
Urgency: medium
Maintainer: Debian GNOME Maintainers
<[email protected]>
Changed-By: Simon McVittie <[email protected]>
Closes: 961756
Changes:
glib-networking (2.64.3-1) experimental; urgency=medium
.
* Team upload
* New upstream release
- Don't behave as though server TLS certificate had been verified
successfully if the application didn't specify the expected identity.
(CVE-2020-13645, Closes: #961756; the only application known to be
affected is balsa).
* Upload to experimental to facilitate testing new balsa versions.
This version should gain Breaks: balsa (<< fixed version) before
being released to unstable.
Checksums-Sha1:
2cf087ad7697c4ceb45dbcba50dbbf45ba94c27b 2611 glib-networking_2.64.3-1.dsc
0fb4ecad270a1f2a500cc03f32f94d89db1426ab 189760
glib-networking_2.64.3.orig.tar.xz
22d2cd024fbf4b83e75ef69a206898d5e5c9d0df 11288
glib-networking_2.64.3-1.debian.tar.xz
f7e1f7b7e380a2b6af144fa9c34cd407aca59bbe 7757
glib-networking_2.64.3-1_source.buildinfo
Checksums-Sha256:
f60c55964219b0cd2720f539eda76d15c207e9a6793928485407fc5559d1c015 2611
glib-networking_2.64.3-1.dsc
937a06b124052813bfc0b0b86bff42016ff01067582e1aca65bb6dbe0845a168 189760
glib-networking_2.64.3.orig.tar.xz
1704bb7e7bd1dbc58c5d18d925af97b31d2b99f37759b30b3c3573b0f236392b 11288
glib-networking_2.64.3-1.debian.tar.xz
39ee84f5697362042d68e6ee55b2cd2389868e9e26b25b6513b5efe961b45f28 7757
glib-networking_2.64.3-1_source.buildinfo
Files:
ee507f207b1ef765ff032193ea6d1148 2611 libs optional
glib-networking_2.64.3-1.dsc
eb382907ec941fe2fb1a9676b75acf7a 189760 libs optional
glib-networking_2.64.3.orig.tar.xz
70257f5b57a0b1780d64c226eb8ce8d9 11288 libs optional
glib-networking_2.64.3-1.debian.tar.xz
646223570d4378a4bfc0a498809cff64 7757 libs optional
glib-networking_2.64.3-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJEBAEBCAAuFiEENuxaZEik9e95vv6Y4FrhR4+BTE8FAl7/XJAQHHNtY3ZAZGVi
aWFuLm9yZwAKCRDgWuFHj4FMT28MD/9jQOiMGxUU5CQ79ZKqOOf1CYITN1My7KdH
sKKOqd2bhHo4JJhUG3ew1kbXzUx/wvcdFCMT1+nS7/11rIlkX/1RT+/2+PkEEbR2
RqfRb1GjPKv8gFdr2zBF7FZAMR+eIyC4o16nKpdnNaMQz5OfIxKrEuT6A8Kl2zJz
/pBfCc8yLYqJ98yVmj45vWV2CKoLmmzhkrNyJyM2LTYPgUwpZTk/cuuRV5Ty1Qbj
cuDCOTWbDxgO+Q+iSzxB+i5HTzdRNNkjBCAIiu8bbgszvzWrycSkBY5zogIy9T6t
I6GBZu/JYmTPTv24T4moF8i3obNx0y7tW8jNGB0xFDdzhJZ5yMdieeH3uGSxQYG4
TA3UnfiqMSOXQ/OwnoheRMp7/FvKnUG/CDrW+GVoHMmvFhn6KQiQOsJFFYCzfhZw
wtBvZWObNG4YTgKjtS3mIkPVWwnpRZyG3c0pHZrEheIdadnHAq/UkvJwBcv+nCUe
2+yG3TTd3IBU2hKrW/1+u/bZAeL7ugENcJSt3esjTtZXJN8OWbWDud3NRdiouMyV
sLIJEHbSTLh3wvOulc6CbnskxoIZVTAN76grONnGOg8cBj4UD8YQrziu/z6D7JOp
SpcEGI30gvvmB84lZhzGkWdwcmrXeGLrpuv+ZXDZoyl2CboVA7gUdsZ4gNJy2glw
rvrVdibuzw==
=nddS
-----END PGP SIGNATURE-----
--- End Message ---
