Source: glib-networking Version: 2.64.2-1 Severity: important Tags: security upstream Forwarded: https://gitlab.gnome.org/GNOME/glib-networking/-/issues/135
Hi, The following vulnerability was published for glib-networking. CVE-2020-13645[0]: | In GNOME glib-networking through 2.64.2, the implementation of | GTlsClientConnection skips hostname verification of the server's TLS | certificate if the application fails to specify the expected server | identity. This is in contrast to its intended documented behavior, to | fail the certificate verification. Applications that fail to provide | the server identity, including Balsa before 2.5.11 and 2.6.x before | 2.6.1, accept a TLS certificate if the certificate is valid for any | host. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-13645 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13645 [1] https://gitlab.gnome.org/GNOME/glib-networking/-/issues/135 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
