CVE-2020-13645
Publication date 28 May 2020
Last updated 24 July 2024
Ubuntu priority
In GNOME glib-networking through 2.64.2, the implementation of GTlsClientConnection skips hostname verification of the server's TLS certificate if the application fails to specify the expected server identity. This is in contrast to its intended documented behavior, to fail the certificate verification. Applications that fail to provide the server identity, including Balsa before 2.5.11 and 2.6.x before 2.6.1, accept a TLS certificate if the certificate is valid for any host.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| balsa | 20.04 LTS focal |
Fixed 2.6.0-2ubuntu0.1
|
| 18.04 LTS bionic |
Not affected
|
|
| 16.04 LTS xenial |
Not affected
|
|
| 14.04 LTS trusty | Not in release | |
| glib-networking | 20.04 LTS focal |
Fixed 2.64.2-1ubuntu0.1
|
| 18.04 LTS bionic |
Fixed 2.56.0-1ubuntu0.1
|
|
| 16.04 LTS xenial |
Fixed 2.48.2-1~ubuntu16.04.2
|
|
| 14.04 LTS trusty | Not in release |
Notes
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
6.5 · Medium
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | Low |
| Integrity impact | Low |
| Availability impact | None |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
References
Related Ubuntu Security Notices (USN)
- USN-4405-1
- GLib Networking vulnerability
- 29 June 2020