Bug#964435: buster-pu: package glib-networking/2.58.0-2+deb10u1

[Emilio Pozuelo Monfort <pochu@debian.org>]

On 07/07/2020 11:04, Simon McVittie wrote:
> Package: release.debian.org
> Severity: normal
> Tags: buster
> User: release.debian.org@packages.debian.org
> Usertags: pu
> 
> Older versions of glib-networking's TLS implementation have a security
> issue (CVE-2020-13645): according to the documentation, if the caller
> does not specify a server identity, glib-networking should fail closed
> (reject all server identities), but in fact it failed open (accept all
> server identities).
> 
> The only application that was believed to be vulnerable to this
> in practice is balsa, which only became vulnerable in post-buster
> versions; older versions such as the one in buster implemented their
> own TLS.

Are you sure about this? Ubuntu had to patch balsa in eoan, which had the
same version that buster has, see [1].

Cheers,
Emilio

[1] https://launchpadlibrarian.net/485808024/balsa_2.5.6-2_2.5.6-2ubuntu0.1.diff.gz