Description: "In GNOME glib-networking through 2.64.2, the implementation of GTlsClientConnection skips hostname verification of the server's TLS certificate if the application fails to specify the expected server identity. This is in contrast to its intended documented behavior, to fail the certificate verification. Applications that fail to provide the server identity, including Balsa before 2.5.11 and 2.6.x before 2.6.1, accept a TLS certificate if the certificate is valid for any host."
Patch: https://gitlab.gnome.org/GNOME/glib-networking/-/commit/dbc8d69f58b07f6ed091aa123e5d40a53573a5fc @maintainer(s), please apply if possible.
For anyone thinking of just requesting 2.64 stable - you must not do that unless you are stabling glib-2.64 and co as well. They need to be in sync.
(In reply to Mart Raudsepp from comment #2) > For anyone thinking of just requesting 2.64 stable - you must not do that > unless you are stabling glib-2.64 and co as well. They need to be in sync. Does the patch apply ok?
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=be97151dd594ba04f27603a9c067e4a5bed859f5 commit be97151dd594ba04f27603a9c067e4a5bed859f5 Author: Mart Raudsepp <leio@gentoo.org> AuthorDate: 2020-06-13 22:02:11 +0000 Commit: Mart Raudsepp <leio@gentoo.org> CommitDate: 2020-06-13 22:03:03 +0000 net-libs/glib-networking: bump to 2.64.3 for CVE-2020-13645 Blind bump, hope it works. Bug: https://bugs.gentoo.org/725880 Package-Manager: Portage-2.3.84, Repoman-2.3.20 Signed-off-by: Mart Raudsepp <leio@gentoo.org> net-libs/glib-networking/Manifest | 1 + .../glib-networking/glib-networking-2.64.3.ebuild | 73 ++++++++++++++++++++++ 2 files changed, 74 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9aaf52255a767b13268c84a6b612dec17339fded commit 9aaf52255a767b13268c84a6b612dec17339fded Author: Mart Raudsepp <leio@gentoo.org> AuthorDate: 2020-06-13 21:59:11 +0000 Commit: Mart Raudsepp <leio@gentoo.org> CommitDate: 2020-06-13 22:03:03 +0000 net-libs/glib-networking: bump to 2.62.4 for CVE-2020-13645 Bug: https://bugs.gentoo.org/725880 Package-Manager: Portage-2.3.84, Repoman-2.3.20 Signed-off-by: Mart Raudsepp <leio@gentoo.org> net-libs/glib-networking/Manifest | 1 + .../glib-networking/glib-networking-2.62.4.ebuild | 73 ++++++++++++++++++++++ 2 files changed, 74 insertions(+)
ppc/ppc64 stable
amd64 stable
arm stable
s390 stable
sparc stable
arm64 stable
hppa stable
x86 stable
@maintainer(s), please cleanup
(In reply to Sam James from comment #13) > @maintainer(s), please cleanup ping. GLSA vote: yes
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a4998ec2920eb4e1f036d4c738e2be0c8f3cfd3b commit a4998ec2920eb4e1f036d4c738e2be0c8f3cfd3b Author: Mart Raudsepp <leio@gentoo.org> AuthorDate: 2020-07-26 10:49:44 +0000 Commit: Mart Raudsepp <leio@gentoo.org> CommitDate: 2020-07-26 11:46:09 +0000 net-libs/glib-networking: security cleanup Bug: https://bugs.gentoo.org/725880 Package-Manager: Portage-2.3.84, Repoman-2.3.20 Signed-off-by: Mart Raudsepp <leio@gentoo.org> net-libs/glib-networking/Manifest | 2 - .../glib-networking/glib-networking-2.60.4.ebuild | 73 ---------------------- .../glib-networking/glib-networking-2.62.3.ebuild | 73 ---------------------- 3 files changed, 148 deletions(-)
This issue was resolved and addressed in GLSA 202007-50 at https://security.gentoo.org/glsa/202007-50 by GLSA coordinator Sam James (sam_c).