Package: balsa Version: 2.4.12-1 Severity: important Tags: security Control: block 961756 by -1
If I'm reading https://gitlab.gnome.org/GNOME/glib-networking/-/issues/135 and related issues correctly, fixing CVE-2020-13645 in glib-networking will break SSL certificate validation in balsa, which is believed to be the only widely-used application that is vulnerable to CVE-2020-13645; the new glib-networking version "fails closed", which if I understand correctly will result in balsa failing to validate any server cert. In each supported suite, balsa should probably be updated first, and then glib-networking (perhaps with versioned Breaks on the old balsa). I've reported this against the oldoldstable version, in the hope that that will help the LTS people to avoid regressing balsa by updating glib-networking too soon. I believe the minimal change is to apply e8952e3c "fix NULL server-identity TLS warning with recent gio", but I don't know or use balsa. 0ae0fde1 "Improve TLS certificate validation error message" would probably also be a good idea. Those are new in 2.6.1, and are not present in 2.6.0. For testing/unstable, please update to 2.6.1 which fixes this. For stable and oldstable, I think backporting will be necessary. smcv

