Bug 26880 - alpine, c-client new security issue CVE-2020-14929
Summary: alpine, c-client new security issue CVE-2020-14929
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
: 27721 (view as bug list)
Depends on:
Blocks:
 
Reported: 2020-07-01 20:56 CEST by David Walser
Modified: 2021-01-10 20:47 CET (History)
7 users (show)

See Also:
Source RPM: alpine-2.11-5.mga7.src.rpm, c-client-2007f-13.mga7.src.rpm
CVE: CVE-2020-14929
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2020-07-01 20:56:30 CEST 
Debian-LTS has issued an advisory on June 25:
https://www.debian.org/lts/security/2020/dla-2254

The issue is fixed upstream in 2.23.

Debian patched 2.11.

Mageia 7 is also affected.
David Walser 2020-07-01 20:56:39 CEST

Whiteboard: (none) => MGA7TOO

Comment 1 Lewis Smith 2020-07-01 21:45:55 CEST 
Variously maintained, so assigning this globally. CC'ing Christiaan, its registered maintainer.

Assignee: bugsquad => pkg-bugs
CC: (none) => cjw

Comment 2 Christiaan Welvaart 2020-07-01 23:03:14 CEST 
If this bug is in the IMAP library, as the patch suggests, does it not also affect the c-client package?

Assignee: pkg-bugs => cjw

Comment 3 David Walser 2020-07-01 23:34:04 CEST 
Yes.  Is there a reason alpine isn't built against that?

Summary: alpine new security issue CVE-2020-14929 => alpine, c-client new security issue CVE-2020-14929
Source RPM: alpine-2.11-6.mga8.src.rpm => alpine-2.11-6.mga8.src.rpm, c-client-2007f-14.mga8.src.rpm

Comment 4 David Walser 2020-07-08 00:14:34 CEST 
Fedora has issued an advisory for this on July 3:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ZJLY6JDVGDNAJZ3UQDWYWSDBWOAOXMNX/
Comment 5 David Walser 2020-12-04 00:21:39 CET 
*** Bug 27721 has been marked as a duplicate of this bug. ***

CC: (none) => zombie_ryushu

Comment 6 David Walser 2020-12-27 19:29:36 CET 
Patch added in alpine-2.11-8.mga8 and c-client-2007f-15.mga8.

The alpine package should still be updated, and built against the system c-client library.

Status comment: (none) => alpine needs to be updated and built against system c-client

Comment 7 Nicolas Lécureuil 2020-12-27 22:20:03 CET 
New version 2.24 pushed in cauldron.

CC: (none) => mageia
Version: Cauldron => 7

Comment 8 David Walser 2020-12-27 22:28:24 CET 
Bug 27952 filed for the bundled c-client code.

Status comment: alpine needs to be updated and built against system c-client => (none)
Whiteboard: MGA7TOO => (none)

Comment 9 David Walser 2020-12-27 22:32:12 CET 
Advisory:
========================

Updated alpine and c-client packages fix security vulnerability:

Alpine before 2.23 silently proceeds to use an insecure connection after a /tls
is sent in certain circumstances involving PREAUTH, which is a less secure
behavior than the alternative of closing the connection and letting the user
decide what they would like to do (CVE-2020-14929).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14929
https://www.debian.org/lts/security/2020/dla-2254
========================

Updated packages in core/updates_testing:
========================
alpine-2.11-5.1.mga7
libc-client0-2007f-13.1.mga7
libc-client-devel-2007f-13.1.mga7

from SRPMS:
alpine-2.11-5.1.mga7.src.rpm
c-client-2007f-13.1.mga7.src.rpm

Assignee: cjw => qa-bugs

Comment 10 Brian Rockwell 2021-01-08 20:06:14 CET 
Install on 64 bit system..

Started mail and set up imap and smtp.

I was able to connect and read Email.

Seems to work for me.

CC: (none) => brtians1
Whiteboard: (none) => MGA7-64-OK

Comment 11 Thomas Andrews 2021-01-08 23:11:14 CET 
Validating. Advisory in Comment 9.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Comment 12 Aurelien Oudelet 2021-01-10 18:27:00 CET 
Advisory pushed to SVN.

CC: (none) => ouaurelien
CVE: (none) => CVE-2020-14929
Source RPM: alpine-2.11-6.mga8.src.rpm, c-client-2007f-14.mga8.src.rpm => alpine-2.11-5.mga7.src.rpm, c-client-2007f-13.mga7.src.rpm
Keywords: (none) => advisory

Comment 13 Mageia Robot 2021-01-10 20:47:36 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0014.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.