Your message dated Sat, 11 Jul 2020 17:17:08 +0000
with message-id <[email protected]>
and subject line Bug#961756: fixed in glib-networking 2.58.0-2+deb10u1
has caused the Debian Bug report #961756,
regarding glib-networking: CVE-2020-13645: GTlsClientConnection silently
ignores unset server identity
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
961756: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=961756
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: glib-networking
Version: 2.64.2-1
Severity: important
Tags: security upstream
Forwarded: https://gitlab.gnome.org/GNOME/glib-networking/-/issues/135
Hi,
The following vulnerability was published for glib-networking.
CVE-2020-13645[0]:
| In GNOME glib-networking through 2.64.2, the implementation of
| GTlsClientConnection skips hostname verification of the server's TLS
| certificate if the application fails to specify the expected server
| identity. This is in contrast to its intended documented behavior, to
| fail the certificate verification. Applications that fail to provide
| the server identity, including Balsa before 2.5.11 and 2.6.x before
| 2.6.1, accept a TLS certificate if the certificate is valid for any
| host.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-13645
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13645
[1] https://gitlab.gnome.org/GNOME/glib-networking/-/issues/135
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: glib-networking
Source-Version: 2.58.0-2+deb10u1
Done: Simon McVittie <[email protected]>
We believe that the bug you reported is fixed in the latest version of
glib-networking, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Simon McVittie <[email protected]> (supplier of updated glib-networking package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 07 Jul 2020 09:30:02 +0100
Source: glib-networking
Architecture: source
Version: 2.58.0-2+deb10u1
Distribution: buster
Urgency: medium
Maintainer: Debian GNOME Maintainers
<[email protected]>
Changed-By: Simon McVittie <[email protected]>
Closes: 961756
Changes:
glib-networking (2.58.0-2+deb10u1) buster; urgency=medium
.
* Team upload
* d/p/Return-bad-identity-error-if-identity-is-unset.patch:
Backport fix for CVE-2020-13645 from upstream (Closes: #961756)
Checksums-Sha1:
50f2c1a65787fd3d9433acb80f296e376f73ba8c 2675
glib-networking_2.58.0-2+deb10u1.dsc
6281c409fbfef131c2e77adfb14b4bfc19777d27 10296
glib-networking_2.58.0-2+deb10u1.debian.tar.xz
026f4c982144bd777998e3e5152c2ccd32233f82 7919
glib-networking_2.58.0-2+deb10u1_source.buildinfo
Checksums-Sha256:
678247fdbd52ba74288916ccd27383cc3aebb2dc3e8fd2987bc990abb18c4c3b 2675
glib-networking_2.58.0-2+deb10u1.dsc
a946fc8e3ecdcbfc86b77d0e0c58604d2041a3e694df1142125b4ebbd07ad9b8 10296
glib-networking_2.58.0-2+deb10u1.debian.tar.xz
8e3d67b86c65c3299680abc72a84b4102dc669efb4733e5c54f4e52b09bf22a8 7919
glib-networking_2.58.0-2+deb10u1_source.buildinfo
Files:
6a245345edf067a49b72b0cc9055385f 2675 libs optional
glib-networking_2.58.0-2+deb10u1.dsc
c8724c8b540b0530991eaf653e95f2be 10296 libs optional
glib-networking_2.58.0-2+deb10u1.debian.tar.xz
6a1cd0dcff145f891a89cfefa61a3324 7919 libs optional
glib-networking_2.58.0-2+deb10u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJEBAEBCAAuFiEENuxaZEik9e95vv6Y4FrhR4+BTE8FAl8EQEsQHHNtY3ZAZGVi
aWFuLm9yZwAKCRDgWuFHj4FMTzoxD/45v0GU2hC4IXhgNQckq06c44ovVqn8dGzK
7hpo18JJRD3nbsB0pnF4rzLb0mDumrP3FKFRLj381f8FmIWfqXvEzkTA7dMoLTNa
vT1TpTGoKq0OBAmv7D1WAwjfAe/fwEAaDVR//mPmA9jk8O9qWDQSLwI4IP+1zgvx
+LFIyuPB98c1kvrtEkUI1APZHhEnZso2m3Qd6Ha9jLEVAeqsS5NWZFM+doLAp17M
oeRlHr9npTB2+izNGeAfQIFIp4JgxMd6++VzRnUX/LrvpBrNcq0zcKD9uZ/38+r7
/ZFiPjvilM1M9KdF4TBOeZXUc32P77bwSQ47G5cOD4UMk1/ndd/2L6W+IIeMWN/c
XhcyJga7RlD4iIcK+UbB5zh2puWgMK+7NWa3bUGhdRdGzFSx7hsORD7wyD7Ub87/
xI31UAyXo75M1Kz6Il05kg3nbjWr6HXHlL8EnuBGJfKuSoLVp6LEVUr1OPGTWkjy
MuWdYcm7X50Rz0kFmc1a7tNZo3phVYh4T4bh3i1RZLZHmbEMRBfdfKHwW7B+Ol3G
BU0xQzkDiWcWAFryA2HMDhzyjYkQXysrdBvpVF5pmPPH1EaK7bbTxx4xUIot6MCL
Ut5v5W0yrLdhgo8oosauOa+irphNwy2uhEFu5iK/arJBJJDsqIW+VwTklXqDuusW
T8XSRCEs6A==
=oM+p
-----END PGP SIGNATURE-----
--- End Message ---
