Your message dated Sat, 11 Jul 2020 17:17:08 +0000
with message-id <[email protected]>
and subject line Bug#961792: fixed in balsa 2.5.6-2+deb10u1
has caused the Debian Bug report #961792,
regarding balsa: needs to set expected server identity (for CVE-2020-13645)
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
961792: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=961792
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: balsa
Version: 2.4.12-1
Severity: important
Tags: security
Control: block 961756 by -1
If I'm reading https://gitlab.gnome.org/GNOME/glib-networking/-/issues/135
and related issues correctly, fixing CVE-2020-13645 in glib-networking
will break SSL certificate validation in balsa, which is believed to be
the only widely-used application that is vulnerable to CVE-2020-13645;
the new glib-networking version "fails closed", which if I understand
correctly will result in balsa failing to validate any server cert.
In each supported suite, balsa should probably be updated first, and
then glib-networking (perhaps with versioned Breaks on the old balsa).
I've reported this against the oldoldstable version, in the hope that that
will help the LTS people to avoid regressing balsa by updating
glib-networking too soon.
I believe the minimal change is to apply e8952e3c "fix NULL
server-identity TLS warning with recent gio", but I don't know or
use balsa. 0ae0fde1 "Improve TLS certificate validation error message"
would probably also be a good idea. Those are new in 2.6.1, and are not
present in 2.6.0.
For testing/unstable, please update to 2.6.1 which fixes this.
For stable and oldstable, I think backporting will be necessary.
smcv
--- End Message ---
--- Begin Message ---
Source: balsa
Source-Version: 2.5.6-2+deb10u1
Done: Emilio Pozuelo Monfort <[email protected]>
We believe that the bug you reported is fixed in the latest version of
balsa, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Emilio Pozuelo Monfort <[email protected]> (supplier of updated balsa package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 11 Jul 2020 09:22:22 +0200
Source: balsa
Architecture: source
Version: 2.5.6-2+deb10u1
Distribution: buster
Urgency: medium
Maintainer: Debian GNOME Maintainers
<[email protected]>
Changed-By: Emilio Pozuelo Monfort <[email protected]>
Closes: 961792
Changes:
balsa (2.5.6-2+deb10u1) buster; urgency=medium
.
* Provide server identity when validating certificates (allows to verify
certs with a glib-networking patch for CVE-2020-13645).
Patch taken from Ubuntu. Closes: #961792.
Checksums-Sha1:
fe213f69c5dcdb00ee3ac0a5bd657fc6a17a4a8b 2500 balsa_2.5.6-2+deb10u1.dsc
954b7aeb3531e8d34b058a887a9271d32e5b67d3 30332
balsa_2.5.6-2+deb10u1.debian.tar.xz
eb2a1c2f1ee487761a12c6cef1ace9991a90fe94 5772
balsa_2.5.6-2+deb10u1_source.buildinfo
Checksums-Sha256:
06d9fe7d541a7b6d1ece16c312370d80cb08952635355f1d8b2fabd37ce88ccc 2500
balsa_2.5.6-2+deb10u1.dsc
b3ec88464000c500e92614f3509de2ad922bb2a637762263ae56adacd542f940 30332
balsa_2.5.6-2+deb10u1.debian.tar.xz
e00c48ec802244ad5537b1011eda6f605361e4263ada7dd088ea86b940512dc3 5772
balsa_2.5.6-2+deb10u1_source.buildinfo
Files:
c11919033fff9abb86410158dcb351bc 2500 gnome optional balsa_2.5.6-2+deb10u1.dsc
0b5afaa71b95c78bf6e319961c131434 30332 gnome optional
balsa_2.5.6-2+deb10u1.debian.tar.xz
8d17556a5b852f9cb99028b4679b9a8f 5772 gnome optional
balsa_2.5.6-2+deb10u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAl8JpaAACgkQnUbEiOQ2
gwJIJA/+LIN6VNYj94n6R9szUVusCKYUpyJe5l//m8hCdNqkf+FHM7JFACObG8L5
/i4KUNFFTybsSQR1NmiBsMJYAe9wxaJI0KnJql7SPNmN9P5GTyXmwUzOa380WjeR
NJJwby2pBbRSEICI7VbhjTqC73gASytv2cjfKGsU4txYsj2Njfjq3QKay9xNEfZN
HNcP5+/FBr1EFQl6adRYP/MoTda8wnjlzKeiso7IqAASWbgKcjxizP/khvQT6vK0
gCFHw2TOhu52VF5ZNHb4ClCMQttnuiaiq+NeWtA5Am0XUkGK/wZGxfrEkuexoRYK
AFPVAQ7bF5Pc+ObD1z1vRax+UqfgsbYoFSnGZvpr9gOFzzf3mMW3TE8co0O1NIBQ
mRQSoNoxQ6UE0FrsnfmaL28D+zjgcm0XoTm7NygCZ21xPcuW57NpC0WN0MZqaQl2
Aq9hxUUTlqGkYFTIW4394q6hvgcrayYxBwEXxIOopeIKvk+5ryRofgQeh8ogqeBJ
TQTLqR99Cw7mYrIPUMVaLKwW8efx5/f7awypnjJ3+UP0yXIUYFrHayoM7V+hQXPv
COUb3yv6seScnVF7CP5+Gc4EcTpJGrIcNdtUnXWesejIUC2RnzqH5JlNWn9EnAld
kY1E2uUw2+6glhqN2+pI0EuiQCJxzrtK3qknPfIykGgxWjYbvkY=
=P0mi
-----END PGP SIGNATURE-----
--- End Message ---
