Bug#961792: balsa: needs to set expected server identity (for CVE-2020-13645)
Simon McVittie
smcv at debian.org
Thu Jun 25 10:18:54 BST 2020
On Fri, 29 May 2020 at 11:24:06 +0100, Simon McVittie wrote:
> If I'm reading https://gitlab.gnome.org/GNOME/glib-networking/-/issues/135
> and related issues correctly, fixing CVE-2020-13645 in glib-networking
> will break SSL certificate validation in balsa, which is believed to be
> the only widely-used application that is vulnerable to CVE-2020-13645;
> the new glib-networking version "fails closed", which if I understand
> correctly will result in balsa failing to validate any server cert.
>
> In each supported suite, balsa should probably be updated first, and
> then glib-networking (perhaps with versioned Breaks on the old balsa).
Has anyone who uses balsa had a chance to take a look at this security
issue? I'd prefer not to team-upload balsa, since I don't use it myself,
and a balsa user would be able to test it a lot better.
smcv
More information about the pkg-gnome-maintainers
mailing list