Bug 27040

Summary: claws-mail new security issue CVE-2020-15917
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: andrewsfarm, davidwhodgins, herman.viaene, jani.valimaa, julien.moragny, sysadmin-bugs
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: claws-mail-3.17.4-1.mga7.src.rpm CVE:
Status comment:

Description David Walser 2020-08-05 00:51:31 CEST 
openSUSE has issued an advisory on July 31:
https://lists.opensuse.org/opensuse-security-announce/2020-07/msg00090.html

The issue is fixed upstream in 3.17.6.
David Walser 2020-08-05 00:51:47 CEST

CC: (none) => julien.moragny

Comment 1 David Walser 2020-08-05 00:53:26 CEST 
Same advisory for openSUSE 15.2 from August 3:
https://lists.opensuse.org/opensuse-security-announce/2020-08/msg00002.html
Comment 2 David Walser 2020-08-05 03:02:07 CEST 
Fedora has issued an advisory for this on August 2:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/G7UX65342HRVDQML4G4GEVEUB764EUM5/

Severity: normal => critical

Comment 3 Jani Välimaa 2020-08-09 19:36:52 CEST 
Pushed claws-mail 3.17.6 to core/updates_testing for mga7.

SRPMS:
claws-mail-3.17.6-1.mga7

RPMS:
claws-mail-3.17.6-1.mga7
claws-mail-acpi-plugin-3.17.6-1.mga7
claws-mail-address_keeper-plugin-3.17.6-1.mga7
claws-mail-archive-plugin-3.17.6-1.mga7
claws-mail-attachwarner-plugin-3.17.6-1.mga7
claws-mail-att_remover-plugin-3.17.6-1.mga7
claws-mail-bogofilter-plugin-3.17.6-1.mga7
claws-mail-bsfilter-plugin-3.17.6-1.mga7
claws-mail-clamd-plugin-3.17.6-1.mga7
claws-mail-devel-3.17.6-1.mga7
claws-mail-dillo-plugin-3.17.6-1.mga7
claws-mail-fetchinfo-plugin-3.17.6-1.mga7
claws-mail-gdata-plugin-3.17.6-1.mga7
claws-mail-libravatar-plugin-3.17.6-1.mga7
claws-mail-litehtml_viewer-plugin-3.17.6-1.mga7
claws-mail-mailmbox-plugin-3.17.6-1.mga7
claws-mail-managesieve-plugin-3.17.6-1.mga7
claws-mail-newmail-plugin-3.17.6-1.mga7
claws-mail-notification-plugin-3.17.6-1.mga7
claws-mail-pdf_viewer-plugin-3.17.6-1.mga7
claws-mail-perl-plugin-3.17.6-1.mga7
claws-mail-pgpcore-plugin-3.17.6-1.mga7
claws-mail-pgpinline-plugin-3.17.6-1.mga7
claws-mail-pgpmime-plugin-3.17.6-1.mga7
claws-mail-plugins-3.17.6-1.mga7
claws-mail-python-plugin-3.17.6-1.mga7
claws-mail-rssyl-plugin-3.17.6-1.mga7
claws-mail-smime-plugin-3.17.6-1.mga7
claws-mail-spamassassin-plugin-3.17.6-1.mga7
claws-mail-spam_report-plugin-3.17.6-1.mga7
claws-mail-tools-3.17.6-1.mga7
claws-mail-vcalendar-plugin-3.17.6-1.mga7

Assignee: jani.valimaa => qa-bugs
CC: (none) => jani.valimaa

Comment 4 David Walser 2020-08-09 22:18:39 CEST 
Advisory:
========================

Updated claws-mail packages fix security vulnerability:

common/session.c in Claws Mail before 3.17.6 has a protocol violation because
suffix data after STARTTLS is mishandled (CVE-2020-15917).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15917
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/G7UX65342HRVDQML4G4GEVEUB764EUM5/
Comment 5 Herman Viaene 2020-08-10 10:51:24 CEST 
MGA7-64 Plasma on Lenovo B50
No installation issues.
Tested by configuring claws-mail to use my hotmail account and sending and receiving mails without and with attachment to and from my gmail account on my desktop PC.
All OK.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA7-64-OK

Comment 6 Thomas Andrews 2020-08-11 02:03:44 CEST 
Validating. Advisory in Comment 4.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Comment 7 David Walser 2020-08-16 16:17:18 CEST 
and package list in Comment 3.
Dave Hodgins 2020-08-18 17:02:06 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 8 Mageia Robot 2020-08-18 19:42:58 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0321.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED