Mageia 7 MGASA-2020-0314 Security Advisory: glib-networking TLS Issue
mageia
August 16, 2020
The updated packages fix a security vulnerability: In GNOME glib-networking through 2.64.2, the implementation of GTlsClientConnection skips hostname verification of the server's ...
Summary
The updated packages fix a security vulnerability:
In GNOME glib-networking through 2.64.2, the implementation of
GTlsClientConnection skips hostname verification of the server's
TLS certificate if the application fails to specify the expected
server identity. This is in contrast to its intended documented
behavior, to fail the certificate verification. Applications that
fail to provide the server identity, including Balsa before 2.5.11
and 2.6.x before 2.6.1, accept a TLS certificate if the certificate
is valid for any host. (CVE-2020-13645)
References
- https://bugs.mageia.org/show_bug.cgi?id=26819
- https://www.cve.org/CVERecord?id=CVE-2020-13645
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/TQEQJQ4XFMFCFJTEXKL2ZO3UELBPCKSK/
- https://ubuntu.com/security/notices/USN-4405-1
- https://www.cve.org/CVERecord?id=CVE-2020-13645
Resolution
SRPMS
- 7/core/glib-networking-2.60.2-1.1.mga7
PREVIOUS 
NEXT Severity
critical
Lowest
Low
Medium
High
Critical
Publication date: 16 Aug 2020
URL: https://advisories.mageia.org/MGASA-2020-0314.html
Type: security
CVE: CVE-2020-13645
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!