On 07/07/2020 11:04, Simon McVittie wrote: > Package: release.debian.org > Severity: normal > Tags: buster > User: [email protected] > Usertags: pu > > Older versions of glib-networking's TLS implementation have a security > issue (CVE-2020-13645): according to the documentation, if the caller > does not specify a server identity, glib-networking should fail closed > (reject all server identities), but in fact it failed open (accept all > server identities). > > The only application that was believed to be vulnerable to this > in practice is balsa, which only became vulnerable in post-buster > versions; older versions such as the one in buster implemented their > own TLS.
Are you sure about this? Ubuntu had to patch balsa in eoan, which had the same version that buster has, see [1]. Cheers, Emilio [1] https://launchpadlibrarian.net/485808024/balsa_2.5.6-2_2.5.6-2ubuntu0.1.diff.gz
