| Summary: | glib-networking new security issue CVE-2020-13645 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | andrewsfarm, geiger.david68210, herman.viaene, mageia, nicolas.salguero, sysadmin-bugs |
| Version: | 7 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA7-64-OK | ||
| Source RPM: | glib-networking-2.60.2-1.mga7.src.rpm | CVE: | CVE-2020-13645 |
| Status comment: | |||
|
Description
David Walser
2020-06-18 23:01:24 CEST
This SRPM is ownerless, so assigning this globally. Assignee:
bugsquad =>
pkg-bugs This part of patched code doesn't exist in our current 2.60.2 release. https://gitlab.gnome.org/GNOME/glib-networking/-/commit/29513946809590c4912550f6f8620468f9836d94 So seems that this release is not affected by CVE-2020-13645. CC:
(none) =>
geiger.david68210 Thanks, I thought that might be the case. Status:
NEW =>
RESOLVED Ubuntu has issued an advisory for this on June 29: https://ubuntu.com/security/notices/USN-4405-1 Apparently older versions are vulnerable. Resolution:
INVALID =>
(none) Suggested advisory: ======================== The updated packages fix a security vulnerability: In GNOME glib-networking through 2.64.2, the implementation of GTlsClientConnection skips hostname verification of the server's TLS certificate if the application fails to specify the expected server identity. This is in contrast to its intended documented behavior, to fail the certificate verification. Applications that fail to provide the server identity, including Balsa before 2.5.11 and 2.6.x before 2.6.1, accept a TLS certificate if the certificate is valid for any host. (CVE-2020-13645) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13645 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/TQEQJQ4XFMFCFJTEXKL2ZO3UELBPCKSK/ https://ubuntu.com/security/notices/USN-4405-1 ======================== Updated packages in core/updates_testing: ======================== glib-networking-2.60.2-1.1.mga7 lib(64)glib-networking-2.60.2-1.1.mga7 lib(64)glib-networking-gnutls-2.60.2-1.1.mga7 from SRPMS: glib-networking-2.60.2-1.1.mga7.src.rpm Assignee:
pkg-bugs =>
qa-bugs MGA7-64 Plasma on Lenovo B50 No installation issues. No wiki or previous updates, so searching for info: MCC shows in glib-networking : /usr/lib/systemd/user/glib-pacrunner.service but # systemctl -l status glib-pacrunner.service Unit glib-pacrunner.service could not be found. # /usr/libexec/glib-pacrunner just runs but no feedback. Googling leads me to https://wiki.gnome.org/Projects/NetworkManager/Proxies I do not use specific proxy, but Network Manager should communicate with it. So, used MCC -Network Manager to disconnect, chack the configuration, and connect my wifi again. No problems. Is that sufficient for an OK? I will not object. CC:
(none) =>
herman.viaene
Herman Viaene
2020-08-07 16:34:57 CEST
Whiteboard:
(none) =>
MGA7-64-OK Validating. Advisory in Comment 5. CC:
(none) =>
andrewsfarm, sysadmin-bugs
Nicolas Lécureuil
2020-08-16 12:35:34 CEST
CC:
(none) =>
mageia An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0314.html Status:
ASSIGNED =>
RESOLVED |