Security update for glib-networking SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2021:3944-1 Final 1 1 2021-12-06T13:56:33Z current 2021-12-06T13:56:33Z 2021-12-06T13:56:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for glib-networking This update for glib-networking fixes the following issues: Update to version 2.62.4: - CVE-2020-13645: Fixed a connection failure when the server identity is unset (bsc#1172460). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-SLE-15.3-2021-3944 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/3WJQDO7GLZV6KOOPFA2ZGLO6YGORWTRO/ E-Mail link for openSUSE-SU-2021:3944-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1172460 SUSE Bug 1172460 https://www.suse.com/security/cve/CVE-2020-13645/ SUSE CVE CVE-2020-13645 page openSUSE Leap 15.3 glib-networking-2.62.4-3.3.1 glib-networking-32bit-2.62.4-3.3.1 glib-networking-lang-2.62.4-3.3.1 glib-networking-2.62.4-3.3.1 as a component of openSUSE Leap 15.3 glib-networking-32bit-2.62.4-3.3.1 as a component of openSUSE Leap 15.3 glib-networking-lang-2.62.4-3.3.1 as a component of openSUSE Leap 15.3 In GNOME glib-networking through 2.64.2, the implementation of GTlsClientConnection skips hostname verification of the server's TLS certificate if the application fails to specify the expected server identity. This is in contrast to its intended documented behavior, to fail the certificate verification. Applications that fail to provide the server identity, including Balsa before 2.5.11 and 2.6.x before 2.6.1, accept a TLS certificate if the certificate is valid for any host. CVE-2020-13645 openSUSE Leap 15.3:glib-networking-2.62.4-3.3.1 openSUSE Leap 15.3:glib-networking-32bit-2.62.4-3.3.1 openSUSE Leap 15.3:glib-networking-lang-2.62.4-3.3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/3WJQDO7GLZV6KOOPFA2ZGLO6YGORWTRO/ https://www.suse.com/security/cve/CVE-2020-13645.html CVE-2020-13645 https://bugzilla.suse.com/1172460 SUSE Bug 1172460