CVE-2020-6750

Name	CVE-2020-6750
Description	GSocketClient in GNOME GLib through 2.62.4 may occasionally connect directly to a target address instead of connecting via a proxy server when configured to do so, because the proxy_addr field is mishandled. This bug is timing-dependent and may occur only sporadically depending on network delays. The greatest security relevance is in use cases where a proxy is used to help with privacy/anonymity, even though there is no technical barrier to a direct connection. NOTE: versions before 2.60 are unaffected.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs	948554

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
glib2.0 (PTS)	jessie, jessie (lts)	2.42.1-1+deb8u6	fixed
	stretch (security)	2.50.3-2+deb9u3	fixed
	stretch (lts), stretch	2.50.3-2+deb9u5	fixed
	buster	2.58.3-2+deb10u3	fixed
	buster (security)	2.58.3-2+deb10u5	fixed
	bullseye	2.66.8-1+deb11u1	fixed
	bookworm	2.74.6-2	fixed
	trixie	2.78.4-1	fixed
	sid	2.78.4-6	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Debian Bugs
glib2.0	source	wheezy	(not affected)
glib2.0	source	jessie	(not affected)
glib2.0	source	stretch	(not affected)
glib2.0	source	buster	(not affected)
glib2.0	source	(unstable)	2.62.5-1	948554

Notes

[buster] - glib2.0 <not-affected> (Vulnerable code introduced later, regreession from 2.60.0)
[stretch] - glib2.0 <not-affected> (Vulnerable code introduced later, regreession from 2.60.0)
[jessie] - glib2.0 <not-affected> (Vulnerable code introduced later, regreession from 2.60.0)
https://gitlab.gnome.org/GNOME/glib/issues/1989
[wheezy] - glib2.0 <not-affected> (Vulnerable code introduced later, regression from 2.60.0)