Bug#961756: glib-networking: CVE-2020-13645: GTlsClientConnection silently ignores unset server identity

Salvatore Bonaccorso carnil at debian.org
Thu May 28 21:41:19 BST 2020


Source: glib-networking
Version: 2.64.2-1
Severity: important
Tags: security upstream
Forwarded: https://gitlab.gnome.org/GNOME/glib-networking/-/issues/135

Hi,

The following vulnerability was published for glib-networking.

CVE-2020-13645[0]:
| In GNOME glib-networking through 2.64.2, the implementation of
| GTlsClientConnection skips hostname verification of the server's TLS
| certificate if the application fails to specify the expected server
| identity. This is in contrast to its intended documented behavior, to
| fail the certificate verification. Applications that fail to provide
| the server identity, including Balsa before 2.5.11 and 2.6.x before
| 2.6.1, accept a TLS certificate if the certificate is valid for any
| host.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2020-13645
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13645
[1] https://gitlab.gnome.org/GNOME/glib-networking/-/issues/135

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore



More information about the pkg-gnome-maintainers mailing list