Opened 16 months ago

Closed 16 months ago

Last modified 15 months ago

#13589 closed enhancement (fixed)

glib-networking-2.64.3

Reported by: Douglas R. Reno Owned by: Douglas R. Reno
Priority: high Milestone: 10.0
Component: BOOK Version: SVN
Severity: normal Keywords:
Cc:

Description

New point version to fix a critical security vulnerability. This vulnerability was first discovered by the Balsa developers.

When the server-identity property of GTlsClientConnection is unset, the documentation says we need to fail the certificate verification with G_TLS_CERTIFICATE_BAD_IDENTITY:

    If the G_TLS_CERTIFICATE_BAD_IDENTITY flag is set in “validation-flags”, this object will be used to determine the expected identify of the remote end of the connection; if “server-identity” is not set, or does not match the identity presented by the server, then the G_TLS_CERTIFICATE_BAD_IDENTITY validation will fail.

This is important because otherwise, it's easy for applications to fail to specify server identity. When server identity is missing, we check the validity of the TLS certificate but do not check if it corresponds to the expected server. That is, evil.com can present a valid certificate issued to evil.com, and we will happily accept it for paypal.com.

This was discovered in balsa#34 (closed).

https://gitlab.gnome.org/GNOME/glib-networking/-/issues/135 https://blogs.gnome.org/mcatanzaro/2020/05/27/disrupted-cve-assignment-process/

This is being tracked as CVE-2020-13645.

The release notes for glib-networking-2.64.3 are:

News
====

- Revert warning when server-identity property is unset (#130)
- Fix CVE-2020-13645, fail connections when server identity is unset (#135)

Change History (4)

comment:1 by Douglas R. Reno, 16 months ago

Owner: changed from blfs-book to Douglas R. Reno
Status: newassigned

comment:2 by Douglas R. Reno, 16 months ago

Resolution: fixed
Status: assignedclosed

Fixed at r23212

comment:3 by Bruce Dubbs, 15 months ago

Milestone: 9.210,0

Milestone renamed

comment:4 by Bruce Dubbs, 15 months ago

Milestone: 10,010.0

Milestone renamed

Note: See TracTickets for help on using tickets.