CVE-2020-13645

Priority
Description
In GNOME glib-networking through 2.64.2, the implementation of
GTlsClientConnection skips hostname verification of the server's TLS
certificate if the application fails to specify the expected server
identity. This is in contrast to its intended documented behavior, to fail
the certificate verification. Applications that fail to provide the server
identity, including Balsa before 2.5.11 and 2.6.x before 2.6.1, accept a
TLS certificate if the certificate is valid for any host.
Assigned-to
amurray
Notes
mdeslaurfixing this issue in glib-networking will require fixing
balsa too
Package
Source: balsa (LP Ubuntu Debian)
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):not-affected (code not present)
Ubuntu 18.04 LTS (Bionic Beaver):not-affected (code not present)
Ubuntu 19.10 (Eoan Ermine):released (2.5.6-2ubuntu0.1)
Ubuntu 20.04 LTS (Focal Fossa):released (2.6.0-2ubuntu0.1)
Ubuntu 20.10 (Groovy Gorilla):not-affected (2.6.1-1)
Patches:
Upstream:https://gitlab.gnome.org/GNOME/balsa/-/commit/e8952e3ccb1bb5094a6f8920e7c274e2e7dae184
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):released (2.48.2-1~ubuntu16.04.2)
Ubuntu 18.04 LTS (Bionic Beaver):released (2.56.0-1ubuntu0.1)
Ubuntu 19.10 (Eoan Ermine):released (2.62.1-1ubuntu0.1)
Ubuntu 20.04 LTS (Focal Fossa):released (2.64.2-1ubuntu0.1)
Ubuntu 20.10 (Groovy Gorilla):released (2.64.2-1ubuntu1)
Patches:
Upstream:https://gitlab.gnome.org/GNOME/glib-networking/-/commit/29513946809590c4912550f6f8620468f9836d94
More Information

Updated: 2020-07-07 13:16:00 UTC (commit 96d829694258396a98cbb9b7dc2bb6298d721190)