Bug#964435: buster-pu: package glib-networking/2.58.0-2+deb10u1
On 07/07/2020 17:14, Simon McVittie wrote:
> Control: tags -1 + moreinfo
>
> On Tue, 07 Jul 2020 at 16:50:36 +0200, Emilio Pozuelo Monfort wrote:
>> On 07/07/2020 11:04, Simon McVittie wrote:
>>> The only application that was believed to be vulnerable to this
>>> in practice is balsa, which only became vulnerable in post-buster
>>> versions; older versions such as the one in buster implemented their
>>> own TLS.
>>
>> Are you sure about this? Ubuntu had to patch balsa in eoan, which had the
>> same version that buster has, see [1].
>>
>> [1] https://launchpadlibrarian.net/485808024/balsa_2.5.6-2_2.5.6-2ubuntu0.1.diff.gz
>
> Well spotted. I haven't verified this myself, I
> was just relaying what the balsa maintainer said on
> <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=961792>.
>
> Daniel: perhaps there is more than one module using TLS? In #961792 you're
> talking about libbalsa/{server,libbalsa}.c, but the Ubuntu patch is against
> libnetclient/net-client.c. Sorry, I don't know this codebase.
>
> If balsa in buster is affected by this, then we'll need to hold off on
> doing this stable-update until a matching version of balsa is ready, like
> I originally suspected was going to be necessary.
>
> I've uploaded the proposed glib-networking to proposed-updates, and it's
> available from
> https://salsa.debian.org/gnome-team/glib-networking/-/tree/debian/buster-proposed
> if that helps with testing against it.
I have verified that balsa needed a fix, and uploaded it to buster-pu, see #964860.
Should we add a breaks to glib-networking?
Cheers,
Emilio
Reply to: