CVE-2020-13645

Published: 28 May 2020

In GNOME glib-networking through 2.64.2, the implementation of GTlsClientConnection skips hostname verification of the server's TLS certificate if the application fails to specify the expected server identity. This is in contrast to its intended documented behavior, to fail the certificate verification. Applications that fail to provide the server identity, including Balsa before 2.5.11 and 2.6.x before 2.6.1, accept a TLS certificate if the certificate is valid for any host.

Priority

Medium

CVSS 3 base score: 6.5

Status

Package Release Status
balsa
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 20.10 (Groovy Gorilla) Not vulnerable
(2.6.1-1)
Ubuntu 20.04 LTS (Focal Fossa)
Released (2.6.0-2ubuntu0.1)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(code not present)
Ubuntu 16.04 LTS (Xenial Xerus) Not vulnerable
(code not present)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

Patches:
Upstream: https://gitlab.gnome.org/GNOME/balsa/-/commit/e8952e3ccb1bb5094a6f8920e7c274e2e7dae184
glib-networking
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 20.10 (Groovy Gorilla)
Released (2.64.2-1ubuntu1)
Ubuntu 20.04 LTS (Focal Fossa)
Released (2.64.2-1ubuntu0.1)
Ubuntu 18.04 LTS (Bionic Beaver)
Released (2.56.0-1ubuntu0.1)
Ubuntu 16.04 LTS (Xenial Xerus)
Released (2.48.2-1~ubuntu16.04.2)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

Patches:
Upstream: https://gitlab.gnome.org/GNOME/glib-networking/-/commit/29513946809590c4912550f6f8620468f9836d94