Bug 27168

Summary: libetpan new security issue CVE-2020-15953
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: herman.viaene, nicolas.salguero, ouaurelien, sysadmin-bugs
Version: 7Keywords: advisory, validated_update
Target Milestone: Mageia 7   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: libetpan-1.9.3-1.mga7.src.rpm CVE: CVE-2020-15953
Status comment:

Description David Walser 2020-08-21 20:46:22 CEST 
Debian-LTS has issued an advisory on August 16:
https://www.debian.org/lts/security/2020/dla-2329

Mageia 7 is also affected.
David Walser 2020-08-21 20:46:30 CEST

Whiteboard: (none) => MGA7TOO

Comment 1 Lewis Smith 2020-08-21 20:50:59 CEST 
libetpan has no evident maintainer, so have to assign this globally.

Assignee: bugsquad => pkg-bugs

Comment 2 David Walser 2020-08-21 23:37:16 CEST 
Fedora has issued an advisory for this on August 19:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/QFBWNA5REI5ZGW2DAOEAVHM23MOU6O5J/
Comment 3 Nicolas Salguero 2020-09-02 09:05:05 CEST 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

LibEtPan through 1.9.4, as used in MailCore 2 through 0.6.3 and other products, has a STARTTLS buffering issue that affects IMAP, SMTP, and POP3. When a server sends a "begin TLS" response, the client reads additional data (e.g., from a meddler-in-the-middle attacker) and evaluates it in a TLS context, aka "response injection". (CVE-2020-15953)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15953
https://www.debian.org/lts/security/2020/dla-2329
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/QFBWNA5REI5ZGW2DAOEAVHM23MOU6O5J/
========================

Updated packages in core/updates_testing:
========================
lib(64)etpan20-1.9.3-1.1.mga7
lib(64)etpan-devel-1.9.3-1.1.mga7

from SRPM:
libetpan-1.9.3-1.1.mga7.src.rpm

Assignee: pkg-bugs => qa-bugs
Source RPM: libetpan-1.9.4-3.mga8.src.rpm => libetpan-1.9.3-1.mga7.src.rpm
Status: NEW => ASSIGNED
CVE: (none) => CVE-2020-15953
Whiteboard: MGA7TOO => (none)
CC: (none) => nicolas.salguero
Version: Cauldron => 7

Comment 4 Herman Viaene 2020-09-14 14:17:40 CEST 
MGA7-64 Plasma on Lenovo B50
No installation issues.
Ref bug 20809, using claws-mail to test.
Sending to and receiving mail with and without attachment between hotmail account on this laptop with claws-mail and gmail account on my desktop with thunderbird. All works OK.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => herman.viaene

David Walser 2020-09-14 18:58:42 CEST

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update

Aurelien Oudelet 2020-09-14 21:34:05 CEST

CC: (none) => ouaurelien
Target Milestone: --- => Mageia 7
Keywords: (none) => advisory

Comment 5 Mageia Robot 2020-09-15 13:47:02 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0366.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED