Fedora has issued an advisory today (June 18):
The issue is fixed upstream in 2.62.4.
This SRPM is ownerless, so assigning this globally.
This part of patched code doesn't exist in our current 2.60.2 release.
So seems that this release is not affected by CVE-2020-13645.
Thanks, I thought that might be the case.
Ubuntu has issued an advisory for this on June 29:
Apparently older versions are vulnerable.
The updated packages fix a security vulnerability:
In GNOME glib-networking through 2.64.2, the implementation of GTlsClientConnection skips hostname verification of the server's TLS certificate if the application fails to specify the expected server identity. This is in contrast to its intended documented behavior, to fail the certificate verification. Applications that fail to provide the server identity, including Balsa before 2.5.11 and 2.6.x before 2.6.1, accept a TLS certificate if the certificate is valid for any host. (CVE-2020-13645)
Updated packages in core/updates_testing:
MGA7-64 Plasma on Lenovo B50
No installation issues.
No wiki or previous updates, so searching for info:
MCC shows in glib-networking : /usr/lib/systemd/user/glib-pacrunner.service
# systemctl -l status glib-pacrunner.service
Unit glib-pacrunner.service could not be found.
just runs but no feedback.
Googling leads me to https://wiki.gnome.org/Projects/NetworkManager/Proxies
I do not use specific proxy, but Network Manager should communicate with it.
So, used MCC -Network Manager to disconnect, chack the configuration, and connect my wifi again. No problems.
Is that sufficient for an OK? I will not object.
Validating. Advisory in Comment 5.