Bug#961792: balsa: needs to set expected server identity (for CVE-2020-13645)
Simon McVittie
smcv at debian.org
Fri May 29 11:24:06 BST 2020
Package: balsa
Version: 2.4.12-1
Severity: important
Tags: security
Control: block 961756 by -1
If I'm reading https://gitlab.gnome.org/GNOME/glib-networking/-/issues/135
and related issues correctly, fixing CVE-2020-13645 in glib-networking
will break SSL certificate validation in balsa, which is believed to be
the only widely-used application that is vulnerable to CVE-2020-13645;
the new glib-networking version "fails closed", which if I understand
correctly will result in balsa failing to validate any server cert.
In each supported suite, balsa should probably be updated first, and
then glib-networking (perhaps with versioned Breaks on the old balsa).
I've reported this against the oldoldstable version, in the hope that that
will help the LTS people to avoid regressing balsa by updating
glib-networking too soon.
I believe the minimal change is to apply e8952e3c "fix NULL
server-identity TLS warning with recent gio", but I don't know or
use balsa. 0ae0fde1 "Improve TLS certificate validation error message"
would probably also be a good idea. Those are new in 2.6.1, and are not
present in 2.6.0.
For testing/unstable, please update to 2.6.1 which fixes this.
For stable and oldstable, I think backporting will be necessary.
smcv
More information about the pkg-gnome-maintainers
mailing list