CVE-2020-13645
First published: Thu May 28 2020(Updated: )
In GNOME glib-networking through 2.64.2, the implementation of GTlsClientConnection skips hostname verification of the server's TLS certificate if the application fails to specify the expected server identity. This is in contrast to its intended documented behavior, to fail the certificate verification. Applications that fail to provide the server identity, including Balsa before 2.5.11 and 2.6.x before 2.6.1, accept a TLS certificate if the certificate is valid for any host.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| GNOME Balsa | <2.5.11 | |
| GNOME Balsa | =2.6.0 | |
| GNOME glib-networking | <2.62.4 | |
| GNOME glib-networking | >=2.64.0<2.64.3 | |
| Canonical Ubuntu Linux | =16.04 | |
| Canonical Ubuntu Linux | =18.04 | |
| Canonical Ubuntu Linux | =19.10 | |
| Canonical Ubuntu Linux | =20.04 | |
| Fedoraproject Fedora | =31 | |
| Fedoraproject Fedora | =32 | |
| Netapp Cloud Backup | ||
| Broadcom Fabric Operating System | ||
| ubuntu/balsa | <2.5.6-2ubuntu0.1 | 2.5.6-2ubuntu0.1 |
| ubuntu/balsa | <2.6.0-2ubuntu0.1 | 2.6.0-2ubuntu0.1 |
| ubuntu/glib-networking | <2.56.0-1ubuntu0.1 | 2.56.0-1ubuntu0.1 |
| ubuntu/glib-networking | <2.62.1-1ubuntu0.1 | 2.62.1-1ubuntu0.1 |
| ubuntu/glib-networking | <2.64.2-1ubuntu0.1 | 2.64.2-1ubuntu0.1 |
| ubuntu/glib-networking | <2.48.2-1~ubuntu16.04.2 | 2.48.2-1~ubuntu16.04.2 |
| debian/glib-networking | 2.66.0-2 2.74.0-4 2.80.0-1 |
Remedy
https://gitlab.gnome.org/GNOME/glib-networking/-/commit/29513946809590c4912550f6f8620468f9836d94
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://gitlab.gnome.org/GNOME/balsa/-/issues/34
- https://gitlab.gnome.org/GNOME/glib-networking/-/issues/135
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HLEX2IP62SU6WJ4SK3U766XGLQK3J62O/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LRCUM22YEWWKNMN2BP5LTVDM5P4VWIXS/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TQEQJQ4XFMFCFJTEXKL2ZO3UELBPCKSK/
- https://security.gentoo.org/glsa/202007-50
- https://security.netapp.com/advisory/ntap-20200608-0004/
- https://usn.ubuntu.com/4405-1/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TQEQJQ4XFMFCFJTEXKL2ZO3UELBPCKSK/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HLEX2IP62SU6WJ4SK3U766XGLQK3J62O/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LRCUM22YEWWKNMN2BP5LTVDM5P4VWIXS/
- https://ubuntu.com/security/notices/USN-4405-1
- https://www.cve.org/CVERecord?id=CVE-2020-13645
- https://nvd.nist.gov/vuln/detail/CVE-2020-13645
- https://launchpad.net/bugs/cve/CVE-2020-13645
- https://security-tracker.debian.org/tracker/CVE-2020-13645
- https://gitlab.gnome.org/GNOME/balsa/-/commit/e8952e3ccb1bb5094a6f8920e7c274e2e7dae184
- https://gitlab.gnome.org/GNOME/glib-networking/-/commit/29513946809590c4912550f6f8620468f9836d94
- https://ubuntu.com/security/CVE-2020-13645
- https://bugs.debian.org/961792)
Frequently Asked Questions
What is CVE-2020-13645?
CVE-2020-13645 is a vulnerability in GNOME glib-networking through 2.64.2 that allows the skipping of hostname verification of the server's TLS certificate.
How severe is CVE-2020-13645?
CVE-2020-13645 has a severity rating of medium (6.5).
How does CVE-2020-13645 affect glib-networking?
CVE-2020-13645 affects glib-networking versions up to and including 2.64.2.
How can I fix CVE-2020-13645?
To fix CVE-2020-13645, upgrade to glib-networking version 2.64.3 or later.
Are there any references for CVE-2020-13645?
Yes, you can find references for CVE-2020-13645 at the following links: [Link 1](https://gitlab.gnome.org/GNOME/balsa/-/issues/34), [Link 2](https://gitlab.gnome.org/GNOME/glib-networking/-/issues/135), [Link 3](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HLEX2IP62SU6WJ4SK3U766XGLQK3J62O/)
- collector/nvd-index
- agent/author
- agent/first-publish-date
- agent/remedy
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/last-modified-date
- agent/severity
- agent/description
- collector/usn-cve
- source/Ubuntu
- agent/software-canonical-lookup
- collector/launchpad-cve
- source/Launchpad
- collector/security-tracker-debian
- source/Debian
- agent/references
- agent/softwarecombine
- agent/event
- agent/tags
- collector/nvd-cve
- source/NVD
- vendor/gnome
- canonical/gnome balsa
- version/gnome balsa/2.6.0
- canonical/gnome glib-networking
- version/gnome glib-networking/2.64.0
- vendor/canonical
- canonical/canonical ubuntu linux
- version/canonical ubuntu linux/16.04
- version/canonical ubuntu linux/18.04
- version/canonical ubuntu linux/19.10
- version/canonical ubuntu linux/20.04
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/31
- version/fedoraproject fedora/32
- vendor/netapp
- canonical/netapp cloud backup
- vendor/broadcom
- canonical/broadcom fabric operating system
- package-manager/ubuntu
- package-manager/debian