Bug#964435: buster-pu: package glib-networking/2.58.0-2+deb10u1
Control: tags -1 -moreinfo
On 11/07/2020 14:49, Adam D. Barratt wrote:
> On Sat, 2020-07-11 at 13:54 +0200, Emilio Pozuelo Monfort wrote:
>> On 07/07/2020 17:14, Simon McVittie wrote:
>>> Control: tags -1 + moreinfo
>>>
>>> On Tue, 07 Jul 2020 at 16:50:36 +0200, Emilio Pozuelo Monfort
>>> wrote:
>>>> On 07/07/2020 11:04, Simon McVittie wrote:
>>>>> The only application that was believed to be vulnerable to this
>>>>> in practice is balsa, which only became vulnerable in post-
>>>>> buster versions; older versions such as the one in buster
>>>>> implemented their own TLS.
> [...]
>>> If balsa in buster is affected by this, then we'll need to hold off
>>> on doing this stable-update until a matching version of balsa is
>>> ready, like I originally suspected was going to be necessary.
> [...]
>> I have verified that balsa needed a fix, and uploaded it to buster-
>> pu, see #964860.
>>
>> Should we add a breaks to glib-networking?
>
> That seems like a good idea, given that we know the new glib-networking
> + old balsa combination won't work.
Uploaded +deb10u2 with the attached debdiff.
Thanks,
Emilio
diff -Nru glib-networking-2.58.0/debian/changelog glib-networking-2.58.0/debian/changelog
--- glib-networking-2.58.0/debian/changelog 2020-07-07 10:30:02.000000000 +0200
+++ glib-networking-2.58.0/debian/changelog 2020-07-11 14:55:23.000000000 +0200
@@ -1,3 +1,10 @@
+glib-networking (2.58.0-2+deb10u2) buster; urgency=medium
+
+ * Break balsa older than 2.5.6-2+deb10u1 as the fix for CVE-2020-13645
+ breaks balsa's certificate verification (see #961792).
+
+ -- Emilio Pozuelo Monfort <pochu@debian.org> Sat, 11 Jul 2020 14:55:23 +0200
+
glib-networking (2.58.0-2+deb10u1) buster; urgency=medium
* Team upload
diff -Nru glib-networking-2.58.0/debian/control glib-networking-2.58.0/debian/control
--- glib-networking-2.58.0/debian/control 2018-12-24 15:40:07.000000000 +0100
+++ glib-networking-2.58.0/debian/control 2020-07-11 14:55:23.000000000 +0200
@@ -6,7 +6,7 @@
Section: libs
Priority: optional
Maintainer: Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>
-Uploaders: Iain Lane <laney@debian.org>, Jeremy Bicha <jbicha@debian.org>, Michael Biebl <biebl@debian.org>
+Uploaders: Emilio Pozuelo Monfort <pochu@debian.org>, Iain Lane <laney@debian.org>, Jeremy Bicha <jbicha@debian.org>, Michael Biebl <biebl@debian.org>
Build-Depends: debhelper (>= 10.3),
meson (>= 0.42),
gnome-pkg-tools,
@@ -29,6 +29,7 @@
glib-networking-services (<< ${source:Version}.1~),
glib-networking-common (>= ${source:Version}),
gsettings-desktop-schemas
+Breaks: balsa (<< 2.5.6-2+deb10u1)
Description: network-related giomodules for GLib
This package contains various network related extensions for the GIO
library.
diff -Nru glib-networking-2.58.0/debian/control.in glib-networking-2.58.0/debian/control.in
--- glib-networking-2.58.0/debian/control.in 2018-12-24 15:40:07.000000000 +0100
+++ glib-networking-2.58.0/debian/control.in 2020-07-11 14:54:02.000000000 +0200
@@ -25,6 +25,7 @@
glib-networking-services (<< ${source:Version}.1~),
glib-networking-common (>= ${source:Version}),
gsettings-desktop-schemas
+Breaks: balsa (<< 2.5.6-2+deb10u1)
Description: network-related giomodules for GLib
This package contains various network related extensions for the GIO
library.
Reply to: