Your message dated Sun, 05 Jul 2020 12:03:39 +0000
with message-id <[email protected]>
and subject line Bug#961756: fixed in glib-networking 2.64.3-2
has caused the Debian Bug report #961756,
regarding glib-networking: CVE-2020-13645: GTlsClientConnection silently
ignores unset server identity
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
961756: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=961756
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: glib-networking
Version: 2.64.2-1
Severity: important
Tags: security upstream
Forwarded: https://gitlab.gnome.org/GNOME/glib-networking/-/issues/135
Hi,
The following vulnerability was published for glib-networking.
CVE-2020-13645[0]:
| In GNOME glib-networking through 2.64.2, the implementation of
| GTlsClientConnection skips hostname verification of the server's TLS
| certificate if the application fails to specify the expected server
| identity. This is in contrast to its intended documented behavior, to
| fail the certificate verification. Applications that fail to provide
| the server identity, including Balsa before 2.5.11 and 2.6.x before
| 2.6.1, accept a TLS certificate if the certificate is valid for any
| host.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-13645
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13645
[1] https://gitlab.gnome.org/GNOME/glib-networking/-/issues/135
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: glib-networking
Source-Version: 2.64.3-2
Done: Simon McVittie <[email protected]>
We believe that the bug you reported is fixed in the latest version of
glib-networking, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Simon McVittie <[email protected]> (supplier of updated glib-networking package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 05 Jul 2020 11:51:32 +0100
Source: glib-networking
Architecture: source
Version: 2.64.3-2
Distribution: unstable
Urgency: medium
Maintainer: Debian GNOME Maintainers
<[email protected]>
Changed-By: Simon McVittie <[email protected]>
Closes: 961756
Changes:
glib-networking (2.64.3-2) unstable; urgency=medium
.
* Team upload
* Add Breaks on balsa versions older than the one fixing CVE-2020-13645,
to prevent regressions
- Version 2.6.1-1 is required in Debian, but use 2.6.0-2ubuntu0.1
to be nice to Ubuntu users. There were no versions between
2.6.0-2 and 2.6.1-1 in Debian.
* Release to unstable
.
glib-networking (2.64.3-1) experimental; urgency=medium
.
* Team upload
* New upstream release
- Don't behave as though server TLS certificate had been verified
successfully if the application didn't specify the expected identity.
(CVE-2020-13645, Closes: #961756; the only application known to be
affected is balsa).
* Upload to experimental to facilitate testing new balsa versions.
This version should gain Breaks: balsa (<< fixed version) before
being released to unstable.
Checksums-Sha1:
d7e35ec45aa577b4a98cd1940aaddca0d057d44c 2611 glib-networking_2.64.3-2.dsc
d4870683ddb00a67e76f425f80e1ca7946a5d7f2 11424
glib-networking_2.64.3-2.debian.tar.xz
d4d86361c984f5fab2cf68b609ff22a614bcde28 7757
glib-networking_2.64.3-2_source.buildinfo
Checksums-Sha256:
8685f178d88bdea00eb0f7581966e59be3fab28d53cbfacae30ef1a6860da701 2611
glib-networking_2.64.3-2.dsc
6fc771de9f5faa8aff6213e6436f0f061a134ecde1a8eb7ce8b75b1952447d58 11424
glib-networking_2.64.3-2.debian.tar.xz
2a3bfe839a4c1a82f12488e14e9d8116989a1d0c1e179d65b9f6ddb9fa652351 7757
glib-networking_2.64.3-2_source.buildinfo
Files:
0735f5c1d5137b8d0321a6117cd11a68 2611 libs optional
glib-networking_2.64.3-2.dsc
0786a14fd85d5b2263dd204da29533e4 11424 libs optional
glib-networking_2.64.3-2.debian.tar.xz
40b3d52ebdc7ff05c02a8d4dfc7875d6 7757 libs optional
glib-networking_2.64.3-2_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJEBAEBCAAuFiEENuxaZEik9e95vv6Y4FrhR4+BTE8FAl8BvosQHHNtY3ZAZGVi
aWFuLm9yZwAKCRDgWuFHj4FMT94RD/9LXHGFJVGINQZXZXRbFh2/rXlWOiPE68PH
wja59kQgD4vmb7bGthgMR8HRzPxamkhIeKwR3/r5Y0VeTYkRqYVAnrCyFR29w7pv
EY0g1FUC/RYV/F6UBLGSA8UDSJbMCEW0dFDqFa80ZniLmLZUcTwbFmjiU66K7G6m
HXl27MZt8Uxw9R+vhEpnM1mNutbbuTZDcbc3h09fMmgfjMIVN9nLCsVNHfMUi8Fh
OQh0kHjcCTaQnM+aELbHEoujZtaGnUteqDJcP/L9WXRWJhAA7eYt+xUdO+1d+LxU
nY0jv3MVCnNw509U5Jt/5LuMljhWuDGAUqkP3Yb16qBV1hBv8S3lZLXAGf80q/kO
nqLynGr8hhtrzum0XCUn/7Zq2d444C+kjb6iceBFnBWKo7KyoIou9Up5c9Hs1xNM
EXsOiWR0n9BZ3KjH+z1w2vMu+LF7J2ZCaAHzX/7ntGMUeXKlJsFFukp8SeRlXBwd
PGbdiG6JzNmazEwlceg6FSG6D7MIv922nnNu0EVhHQMx+h7ua+ylUMeGdPK9o/y0
R4N1UB1xlqF4+/dtKG2fPYXPwokH9YauJhgO+hyeQB9TGwWTvCC45VzTKkh+/7VS
15jVNtC/ZdpFjVtv909cRp/F7AGBywPaUVTHVVxro8kZUIYVDXJGLFTdhDuTdq9o
215gT4jy2g==
=M4t5
-----END PGP SIGNATURE-----
--- End Message ---
