Description: "In GNOME glib-networking through 2.64.2, the implementation of GTlsClientConnection skips hostname verification of the server's TLS certificate if the application fails to specify the expected server identity. This is in contrast to its intended documented behavior, to fail the certificate verification. Applications that fail to provide the server identity, including Balsa before 2.5.11 and 2.6.x before 2.6.1, accept a TLS certificate if the certificate is valid for any host."
Patches: https://gitlab.gnome.org/GNOME/balsa/-/commit/9b19c66ce4cd6d57dcaaa9499b8e0242d96f9c89 https://gitlab.gnome.org/GNOME/balsa/-/commit/0ae0fde107f2ed36a0bdc4d46cce2d11a11a5b67
ping
https://pawsa.fedorapeople.org/balsa/ says ... News 2020-05-10 You can now download balsa-2.5.11 and balsa-2.6.1. balsa-2.5.11 still links against gmime2. Balsa-2.6.1 links against gmime30. Both versions have a TLS server identity bug fixed. balsa-2.5.11 builds if the PATCHES is removed from the 2.5.6-r1 build. That's not nearly enough testing to qualify as a version bump.
CVE-2020-16118: In GNOME Balsa before 2.6.0, a malicious server operator or man in the middle can trigger a NULL pointer dereference and client crash by sending a PREAUTH response to imap_mbox_connect in libbalsa/imap/imap-handle.c. Issue: https://gitlab.gnome.org/GNOME/balsa/-/issues/23 Patch: https://gitlab.gnome.org/GNOME/balsa/-/commit/4e245d758e1c826a01080d40c22ca8706f0339e5 balsa $ git tag --contains 4e245d758e1c826a01080d40c22ca8706f0339e5 2.5.10 2.5.11 2.6.0 2.6.1 (In reply to Sam James from comment #1) > Patches: > https://gitlab.gnome.org/GNOME/balsa/-/commit/ > 9b19c66ce4cd6d57dcaaa9499b8e0242d96f9c89 404? > https://gitlab.gnome.org/GNOME/balsa/-/commit/ > 0ae0fde107f2ed36a0bdc4d46cce2d11a11a5b67 This one is in 2.5.11 and 2.6.1: balsa $ git tag --contains 0ae0fde107f2ed36a0bdc4d46cce2d11a11a5b67 2.5.11 2.6.1
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=98480bf85d035209c098e69731307bd614321358 commit 98480bf85d035209c098e69731307bd614321358 Author: Mart Raudsepp <leio@gentoo.org> AuthorDate: 2020-08-24 07:43:40 +0000 Commit: Mart Raudsepp <leio@gentoo.org> CommitDate: 2020-08-24 07:48:01 +0000 mail-client/balsa: bump to 2.6.1 Bug: https://bugs.gentoo.org/725910 Closes: https://bugs.gentoo.org/698670 Package-Manager: Portage-2.3.103, Repoman-2.3.20 Signed-off-by: Mart Raudsepp <leio@gentoo.org> mail-client/balsa/Manifest | 1 + mail-client/balsa/balsa-2.6.1.ebuild | 75 ++++++++++++++++++++++++++++++++++++ 2 files changed, 76 insertions(+)
x86 done
amd64 done all arches done
Please cleanup.
noglsa because the main issue was in glib-networking.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=952e9a293c1a5c2e1a7887843c0969936e30f841 commit 952e9a293c1a5c2e1a7887843c0969936e30f841 Author: Mart Raudsepp <leio@gentoo.org> AuthorDate: 2020-08-29 08:10:19 +0000 Commit: Mart Raudsepp <leio@gentoo.org> CommitDate: 2020-08-29 08:27:25 +0000 mail-client/balsa: security cleanup Bug: https://bugs.gentoo.org/725910 Package-Manager: Portage-2.3.103, Repoman-2.3.20 Signed-off-by: Mart Raudsepp <leio@gentoo.org> mail-client/balsa/Manifest | 1 - mail-client/balsa/balsa-2.5.6-r1.ebuild | 71 ---------- .../files/balsa-2.5.6-fix-older-webkit1.patch | 156 --------------------- .../files/balsa-2.5.6-fix-older-webkit2.patch | 53 ------- mail-client/balsa/metadata.xml | 1 - 5 files changed, 282 deletions(-)
Thanks!
