CVE-2020-13645

NameCVE-2020-13645
DescriptionIn GNOME glib-networking through 2.64.2, the implementation of GTlsClientConnection skips hostname verification of the server's TLS certificate if the application fails to specify the expected server identity. This is in contrast to its intended documented behavior, to fail the certificate verification. Applications that fail to provide the server identity, including Balsa before 2.5.11 and 2.6.x before 2.6.1, accept a TLS certificate if the certificate is valid for any host.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesELA-246-1
Debian Bugs961756

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
glib-networking (PTS)jessie, jessie (lts)2.42.0-2+deb8u1fixed
stretch2.50.0-1+deb9u1fixed
buster2.58.0-2+deb10u2fixed
bullseye2.66.0-2fixed
bookworm2.74.0-4fixed
trixie2.80~alpha-1fixed
sid2.80.0-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
glib-networkingsourcewheezy(unfixed)end-of-life
glib-networkingsourcejessie2.42.0-2+deb8u1ELA-246-1
glib-networkingsourcestretch2.50.0-1+deb9u1
glib-networkingsourcebuster2.58.0-2+deb10u1
glib-networkingsource(unstable)2.64.3-2961756

Notes

https://gitlab.gnome.org/GNOME/glib-networking/-/issues/135
Updating glib-networking to address CVE-2020-13645 will need a compatibility
update as well for balsa (cf. https://bugs.debian.org/961792)
Search for package or bug name: Reporting problems