Bug#964435: buster-pu: package glib-networking/2.58.0-2+deb10u1
Control: tags -1 + moreinfo
On Tue, 07 Jul 2020 at 16:50:36 +0200, Emilio Pozuelo Monfort wrote:
> On 07/07/2020 11:04, Simon McVittie wrote:
> > The only application that was believed to be vulnerable to this
> > in practice is balsa, which only became vulnerable in post-buster
> > versions; older versions such as the one in buster implemented their
> > own TLS.
>
> Are you sure about this? Ubuntu had to patch balsa in eoan, which had the
> same version that buster has, see [1].
>
> [1] https://launchpadlibrarian.net/485808024/balsa_2.5.6-2_2.5.6-2ubuntu0.1.diff.gz
Well spotted. I haven't verified this myself, I
was just relaying what the balsa maintainer said on
<https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=961792>.
Daniel: perhaps there is more than one module using TLS? In #961792 you're
talking about libbalsa/{server,libbalsa}.c, but the Ubuntu patch is against
libnetclient/net-client.c. Sorry, I don't know this codebase.
If balsa in buster is affected by this, then we'll need to hold off on
doing this stable-update until a matching version of balsa is ready, like
I originally suspected was going to be necessary.
I've uploaded the proposed glib-networking to proposed-updates, and it's
available from
https://salsa.debian.org/gnome-team/glib-networking/-/tree/debian/buster-proposed
if that helps with testing against it.
smcv
Reply to: