Your message dated Sat, 11 Jul 2020 16:32:26 +0000
with message-id <[email protected]>
and subject line Bug#961756: fixed in glib-networking 2.50.0-1+deb9u1
has caused the Debian Bug report #961756,
regarding glib-networking: CVE-2020-13645: GTlsClientConnection silently
ignores unset server identity
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
961756: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=961756
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: glib-networking
Version: 2.64.2-1
Severity: important
Tags: security upstream
Forwarded: https://gitlab.gnome.org/GNOME/glib-networking/-/issues/135
Hi,
The following vulnerability was published for glib-networking.
CVE-2020-13645[0]:
| In GNOME glib-networking through 2.64.2, the implementation of
| GTlsClientConnection skips hostname verification of the server's TLS
| certificate if the application fails to specify the expected server
| identity. This is in contrast to its intended documented behavior, to
| fail the certificate verification. Applications that fail to provide
| the server identity, including Balsa before 2.5.11 and 2.6.x before
| 2.6.1, accept a TLS certificate if the certificate is valid for any
| host.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-13645
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13645
[1] https://gitlab.gnome.org/GNOME/glib-networking/-/issues/135
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: glib-networking
Source-Version: 2.50.0-1+deb9u1
Done: Emilio Pozuelo Monfort <[email protected]>
We believe that the bug you reported is fixed in the latest version of
glib-networking, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Emilio Pozuelo Monfort <[email protected]> (supplier of updated glib-networking
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 07 Jul 2020 16:57:37 +0200
Source: glib-networking
Architecture: source
Version: 2.50.0-1+deb9u1
Distribution: stretch
Urgency: medium
Maintainer: Debian GNOME Maintainers
<[email protected]>
Changed-By: Emilio Pozuelo Monfort <[email protected]>
Closes: 961756
Changes:
glib-networking (2.50.0-1+deb9u1) stretch; urgency=medium
.
* Team upload
* d/p/Return-bad-identity-error-if-identity-is-unset.patch:
Backport fix for CVE-2020-13645 from upstream (Closes: #961756)
Checksums-Sha1:
35ed37283f4a6e3994d97a64b37c57c73d75ed9b 2562
glib-networking_2.50.0-1+deb9u1.dsc
b1c7e5c5b0a77c8a025a5fff46cc7f3e39398af6 8928
glib-networking_2.50.0-1+deb9u1.debian.tar.xz
ce8fecce2f893780979960d05a09fecbfa5bb0a3 5490
glib-networking_2.50.0-1+deb9u1_source.buildinfo
Checksums-Sha256:
fe2283757ecba24d632bbb5d024743017cf5d68608a438cc9b89461295d3935c 2562
glib-networking_2.50.0-1+deb9u1.dsc
537784194d0c54d6958b55b48b28adf2dc41e4899c68cce56fbf21a59a69d343 8928
glib-networking_2.50.0-1+deb9u1.debian.tar.xz
9c86c1199e24bf0ab3b363fb6cb2f2eb27720431b6109e005793038346e78499 5490
glib-networking_2.50.0-1+deb9u1_source.buildinfo
Files:
dd7a949df61ec69f493c77d8c6119acc 2562 libs optional
glib-networking_2.50.0-1+deb9u1.dsc
5c850b3c7f7a0595b6f03d6c6a86a08c 8928 libs optional
glib-networking_2.50.0-1+deb9u1.debian.tar.xz
06e590cd3ab8e7e037ce7bb523eaae6b 5490 libs optional
glib-networking_2.50.0-1+deb9u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAl8Jp0YACgkQnUbEiOQ2
gwKgRhAAikl1hb0QIlotkGtTaJz2+3EhT1i8YvsTKqSPukBIn6cpk+xvpDX5mmpU
EoSZ5R8W/nByRuEWxVLjNuXnKZ9TcfTaYZxS3cccjCSYkexyP89hbKFdMaOWqhaB
Y+ifTgGnMe7BvuR4t2V4X+a68hO6EdwSCfiMe+zCNnrOeEivwYCJrkpUMKpAkku4
72+z2kRRHT06xz//5c7OzYrTVizVbRSEdVeFjIFLcoiZnQSedVpAulyYNOnIIXZD
777/qLkHVZPJj6No8a/ijyQJ0225jFhPqegECuNnZDhAs1hhcngKCu9bEhD5YjoT
FL+bKg6yB1BcTerZAriCjoSPV9CDPpu5eoeVXY2tB+i77zIbw8F3rNhzy+5C3dl5
f3pmjrVQPTVfeoPlCYZuNPXKBnpbXw7l3MjhTPX8kjRfCf8CrrqSa8zhSpc9Vjf+
YUzBXWahdrWKtYN40D04Gf0/wZvPMwRO/g3LGKDFTDcFPIZVvTaYXkcX4BbmyqQZ
DRwBXGZinpgAHLaS8qalicZjJnrllHa5JCHBz7w81uwX8NSnh6tT8oxZeFRt/WMV
I2Bi6M6bYYajB7AH5SJg23xsH0S4akNC9bIWmq0/C96oZHV56YJkOu5dMejFCrHW
D1y+ZCvs0JXhfN7bLX80NjYL2xwxuPwZ+BYLrTbqjRjBElzq6/Q=
=U3RD
-----END PGP SIGNATURE-----
--- End Message ---
