Debian-LTS has issued an advisory on June 25: https://www.debian.org/lts/security/2020/dla-2254 The issue is fixed upstream in 2.23. Debian patched 2.11. Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOO
Variously maintained, so assigning this globally. CC'ing Christiaan, its registered maintainer.
Assignee: bugsquad => pkg-bugsCC: (none) => cjw
If this bug is in the IMAP library, as the patch suggests, does it not also affect the c-client package?
Assignee: pkg-bugs => cjw
Yes. Is there a reason alpine isn't built against that?
Summary: alpine new security issue CVE-2020-14929 => alpine, c-client new security issue CVE-2020-14929Source RPM: alpine-2.11-6.mga8.src.rpm => alpine-2.11-6.mga8.src.rpm, c-client-2007f-14.mga8.src.rpm
Fedora has issued an advisory for this on July 3: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ZJLY6JDVGDNAJZ3UQDWYWSDBWOAOXMNX/
*** Bug 27721 has been marked as a duplicate of this bug. ***
CC: (none) => zombie_ryushu
Patch added in alpine-2.11-8.mga8 and c-client-2007f-15.mga8. The alpine package should still be updated, and built against the system c-client library.
Status comment: (none) => alpine needs to be updated and built against system c-client
New version 2.24 pushed in cauldron.
CC: (none) => mageiaVersion: Cauldron => 7
Bug 27952 filed for the bundled c-client code.
Status comment: alpine needs to be updated and built against system c-client => (none)Whiteboard: MGA7TOO => (none)
Advisory: ======================== Updated alpine and c-client packages fix security vulnerability: Alpine before 2.23 silently proceeds to use an insecure connection after a /tls is sent in certain circumstances involving PREAUTH, which is a less secure behavior than the alternative of closing the connection and letting the user decide what they would like to do (CVE-2020-14929). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14929 https://www.debian.org/lts/security/2020/dla-2254 ======================== Updated packages in core/updates_testing: ======================== alpine-2.11-5.1.mga7 libc-client0-2007f-13.1.mga7 libc-client-devel-2007f-13.1.mga7 from SRPMS: alpine-2.11-5.1.mga7.src.rpm c-client-2007f-13.1.mga7.src.rpm
Assignee: cjw => qa-bugs
Install on 64 bit system.. Started mail and set up imap and smtp. I was able to connect and read Email. Seems to work for me.
CC: (none) => brtians1Whiteboard: (none) => MGA7-64-OK
Validating. Advisory in Comment 9.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
Advisory pushed to SVN.
CC: (none) => ouaurelienCVE: (none) => CVE-2020-14929Source RPM: alpine-2.11-6.mga8.src.rpm, c-client-2007f-14.mga8.src.rpm => alpine-2.11-5.mga7.src.rpm, c-client-2007f-13.mga7.src.rpmKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0014.html
Status: NEW => RESOLVEDResolution: (none) => FIXED