Version: 2.6.1-1 Control: notfound 961792 2.5.6-2 Control: notfound 961792 2.4.12-3+b1
On Thu 2020-06-25 10:18:54 +0100, Simon McVittie wrote: > On Fri, 29 May 2020 at 11:24:06 +0100, Simon McVittie wrote: >> If I'm reading https://gitlab.gnome.org/GNOME/glib-networking/-/issues/135 >> and related issues correctly, fixing CVE-2020-13645 in glib-networking >> will break SSL certificate validation in balsa, which is believed to be >> the only widely-used application that is vulnerable to CVE-2020-13645; >> the new glib-networking version "fails closed", which if I understand >> correctly will result in balsa failing to validate any server cert. >> >> In each supported suite, balsa should probably be updated first, and >> then glib-networking (perhaps with versioned Breaks on the old balsa). > > Has anyone who uses balsa had a chance to take a look at this security > issue? I'd prefer not to team-upload balsa, since I don't use it myself, > and a balsa user would be able to test it a lot better. I can confirm that this is a problem for Balsa 2.6.0-2: it cannot connect to a legitimate IMAP server with sensible TLS credentials when run against glib-networking 2.64.3-1 (from experimental). I've uploaded Balsa 2.6.1-1 to unstable, which appears to resolve this problem. I've also tested these Balsa versions against an IMAP service with a certificate mismatch -- they do not "fail open", which is good. I took a look at the version in debian stable (buster, running balsa 2.5.6-2) and oldstable (stretch, running balsa 2.4.12-3+b1) -- and both of them correctly fail closed when confronted with a certificate mismatch. It appears that older versions of Balsa actually use a (rather complicated) OpenSSL for the TLS connection. See libbalsa/{server,libbalsa}.c for more details. Upstream adopted glib-networking/gio in 2.5.7 (see upstream commit d964df60bbd85b00269da62b99bf2ce57ae442cc, a major internal overhaul), and the certificate name check failed only on that version or later. Please mark glib-networking 2.64.3-2 as breaking Balsa versions 2.5.7 through 2.6.0. If you only care about versions of balsa that are currently in any release of debian, that would be just: Breaks: balsa (= 2.6.0-2) Hope this helps! Regards, --dkg
signature.asc
Description: PGP signature
