CVE-2020-12658

Name	CVE-2020-12658
Description	gssproxy (aka gss-proxy) before 0.8.3 does not unlock cond_mutex before pthread exit in gp_worker_main() in gp_workers.c. NOTE: An upstream comment states "We are already on a shutdown path when running the code in question, so a DoS there doesn't make any sense, and there has been no additional information provided us (as upstream) to indicate why this would be a problem.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-2516-1
Debian Bugs	978931

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
gssproxy (PTS)	stretch (security), stretch (lts), stretch	0.5.1-2+deb9u1	fixed
	buster	0.8.0-1.1	vulnerable
	bullseye	0.8.2-2	vulnerable
	bookworm	0.9.1-1	vulnerable
	sid	0.9.2-3	vulnerable

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
gssproxy	source	stretch	0.5.1-2+deb9u1		DLA-2516-1
gssproxy	source	(unstable)	(unfixed)	unimportant		978931

https://github.com/gssapi/gssproxy/commit/cb761412e299ef907f22cd7c4146d50c8a792003 (v0.8.3)
code change in question only happens in a shutdown path.