Control: tags -1 + moreinfo On Tue, 07 Jul 2020 at 16:50:36 +0200, Emilio Pozuelo Monfort wrote: > On 07/07/2020 11:04, Simon McVittie wrote: > > The only application that was believed to be vulnerable to this > > in practice is balsa, which only became vulnerable in post-buster > > versions; older versions such as the one in buster implemented their > > own TLS. > > Are you sure about this? Ubuntu had to patch balsa in eoan, which had the > same version that buster has, see [1]. > > [1] > https://launchpadlibrarian.net/485808024/balsa_2.5.6-2_2.5.6-2ubuntu0.1.diff.gz
Well spotted. I haven't verified this myself, I was just relaying what the balsa maintainer said on <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=961792>. Daniel: perhaps there is more than one module using TLS? In #961792 you're talking about libbalsa/{server,libbalsa}.c, but the Ubuntu patch is against libnetclient/net-client.c. Sorry, I don't know this codebase. If balsa in buster is affected by this, then we'll need to hold off on doing this stable-update until a matching version of balsa is ready, like I originally suspected was going to be necessary. I've uploaded the proposed glib-networking to proposed-updates, and it's available from https://salsa.debian.org/gnome-team/glib-networking/-/tree/debian/buster-proposed if that helps with testing against it. smcv
