Copy-paste from distributor-list from 7th Feb: Sender: Michael Catanzaro <mcatanzaro@gnome.org> To: distributor-list@gnome.org, oss-security@lists.openwall.com Subject: CVE-2020-6750: GSocketClient sometimes ignores proxy settings Date: Fri, 07 Feb 2020 14:33:09 -0600 (07.02.2020 22:33:09) Hi, It was discovered that GLib's GSocketClient, since GLib 2.60, will sporadically ignore its configured proxy settings and improperly connect directly to the target server, bypassing the configured proxy server [1]. This has been assigned CVE-2020-6750. Credit to lovetox for the discovery. This affects GLib 2.60 and 2.62. GLib versions 2.58 and earlier are unaffected. A patch fixing this and related issues is available at [2]. Because GSocketClient is widely used by Linux desktop applications, including applications that use it only indirectly via libraries like libsoup or GStreamer, the number of affected applications is likely large. This bug may be difficult to notice because it is timing-dependent and does not occur under favorable network conditions. That is, if users test to ensure a network proxy is properly configured, it is likely to work properly during testing, but nonetheless still sporadically fail at other times, leaving users with a false sense of security. Michael [1] https://gitlab.gnome.org/GNOME/glib/issues/1989 [2] https://gitlab.gnome.org/GNOME/glib/merge_requests/1339.patch
amd64 stable
s390 stable
sparc stable
ia64 stable
ppc64 stable
ppc stable
x86 stable
CVE-2020-6750 (https://nvd.nist.gov/vuln/detail/CVE-2020-6750): GSocketClient in GNOME GLib through 2.62.4 may occasionally connect directly to a target address instead of connecting via a proxy server when configured to do so, because the proxy_addr field is mishandled. This bug is timing-dependent and may occur only sporadically depending on network delays. The greatest security relevance is in use cases where a proxy is used to help with privacy/anonymity, even though there is no technical barrier to a direct connection. NOTE: versions before 2.60 are unaffected.
arm stable
arm64 stable
hppa stable
@maintainer(s), please cleanup