Fedora has issued an advisory today (June 18): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/TQEQJQ4XFMFCFJTEXKL2ZO3UELBPCKSK/ The issue is fixed upstream in 2.62.4.
This SRPM is ownerless, so assigning this globally.
Assignee: bugsquad => pkg-bugs
This part of patched code doesn't exist in our current 2.60.2 release. https://gitlab.gnome.org/GNOME/glib-networking/-/commit/29513946809590c4912550f6f8620468f9836d94 So seems that this release is not affected by CVE-2020-13645.
CC: (none) => geiger.david68210
Thanks, I thought that might be the case.
Status: NEW => RESOLVEDResolution: (none) => INVALID
Ubuntu has issued an advisory for this on June 29: https://ubuntu.com/security/notices/USN-4405-1 Apparently older versions are vulnerable.
Resolution: INVALID => (none)Status: RESOLVED => REOPENED
Suggested advisory: ======================== The updated packages fix a security vulnerability: In GNOME glib-networking through 2.64.2, the implementation of GTlsClientConnection skips hostname verification of the server's TLS certificate if the application fails to specify the expected server identity. This is in contrast to its intended documented behavior, to fail the certificate verification. Applications that fail to provide the server identity, including Balsa before 2.5.11 and 2.6.x before 2.6.1, accept a TLS certificate if the certificate is valid for any host. (CVE-2020-13645) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13645 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/TQEQJQ4XFMFCFJTEXKL2ZO3UELBPCKSK/ https://ubuntu.com/security/notices/USN-4405-1 ======================== Updated packages in core/updates_testing: ======================== glib-networking-2.60.2-1.1.mga7 lib(64)glib-networking-2.60.2-1.1.mga7 lib(64)glib-networking-gnutls-2.60.2-1.1.mga7 from SRPMS: glib-networking-2.60.2-1.1.mga7.src.rpm
Assignee: pkg-bugs => qa-bugsCC: (none) => nicolas.salgueroStatus: REOPENED => ASSIGNEDCVE: (none) => CVE-2020-13645
MGA7-64 Plasma on Lenovo B50 No installation issues. No wiki or previous updates, so searching for info: MCC shows in glib-networking : /usr/lib/systemd/user/glib-pacrunner.service but # systemctl -l status glib-pacrunner.service Unit glib-pacrunner.service could not be found. # /usr/libexec/glib-pacrunner just runs but no feedback. Googling leads me to https://wiki.gnome.org/Projects/NetworkManager/Proxies I do not use specific proxy, but Network Manager should communicate with it. So, used MCC -Network Manager to disconnect, chack the configuration, and connect my wifi again. No problems. Is that sufficient for an OK? I will not object.
CC: (none) => herman.viaene
Whiteboard: (none) => MGA7-64-OK
Validating. Advisory in Comment 5.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
CC: (none) => mageiaKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0314.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED