On 07/07/2020 17:14, Simon McVittie wrote: > Control: tags -1 + moreinfo > > On Tue, 07 Jul 2020 at 16:50:36 +0200, Emilio Pozuelo Monfort wrote: >> On 07/07/2020 11:04, Simon McVittie wrote: >>> The only application that was believed to be vulnerable to this >>> in practice is balsa, which only became vulnerable in post-buster >>> versions; older versions such as the one in buster implemented their >>> own TLS. >> >> Are you sure about this? Ubuntu had to patch balsa in eoan, which had the >> same version that buster has, see [1]. >> >> [1] >> https://launchpadlibrarian.net/485808024/balsa_2.5.6-2_2.5.6-2ubuntu0.1.diff.gz > > Well spotted. I haven't verified this myself, I > was just relaying what the balsa maintainer said on > <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=961792>. > > Daniel: perhaps there is more than one module using TLS? In #961792 you're > talking about libbalsa/{server,libbalsa}.c, but the Ubuntu patch is against > libnetclient/net-client.c. Sorry, I don't know this codebase. > > If balsa in buster is affected by this, then we'll need to hold off on > doing this stable-update until a matching version of balsa is ready, like > I originally suspected was going to be necessary. > > I've uploaded the proposed glib-networking to proposed-updates, and it's > available from > https://salsa.debian.org/gnome-team/glib-networking/-/tree/debian/buster-proposed > if that helps with testing against it.
I have verified that balsa needed a fix, and uploaded it to buster-pu, see #964860. Should we add a breaks to glib-networking? Cheers, Emilio
