openSUSE has issued an advisory on July 31: https://lists.opensuse.org/opensuse-security-announce/2020-07/msg00090.html The issue is fixed upstream in 3.17.6.
CC: (none) => julien.moragny
Same advisory for openSUSE 15.2 from August 3: https://lists.opensuse.org/opensuse-security-announce/2020-08/msg00002.html
Fedora has issued an advisory for this on August 2: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/G7UX65342HRVDQML4G4GEVEUB764EUM5/
Severity: normal => critical
Pushed claws-mail 3.17.6 to core/updates_testing for mga7. SRPMS: claws-mail-3.17.6-1.mga7 RPMS: claws-mail-3.17.6-1.mga7 claws-mail-acpi-plugin-3.17.6-1.mga7 claws-mail-address_keeper-plugin-3.17.6-1.mga7 claws-mail-archive-plugin-3.17.6-1.mga7 claws-mail-attachwarner-plugin-3.17.6-1.mga7 claws-mail-att_remover-plugin-3.17.6-1.mga7 claws-mail-bogofilter-plugin-3.17.6-1.mga7 claws-mail-bsfilter-plugin-3.17.6-1.mga7 claws-mail-clamd-plugin-3.17.6-1.mga7 claws-mail-devel-3.17.6-1.mga7 claws-mail-dillo-plugin-3.17.6-1.mga7 claws-mail-fetchinfo-plugin-3.17.6-1.mga7 claws-mail-gdata-plugin-3.17.6-1.mga7 claws-mail-libravatar-plugin-3.17.6-1.mga7 claws-mail-litehtml_viewer-plugin-3.17.6-1.mga7 claws-mail-mailmbox-plugin-3.17.6-1.mga7 claws-mail-managesieve-plugin-3.17.6-1.mga7 claws-mail-newmail-plugin-3.17.6-1.mga7 claws-mail-notification-plugin-3.17.6-1.mga7 claws-mail-pdf_viewer-plugin-3.17.6-1.mga7 claws-mail-perl-plugin-3.17.6-1.mga7 claws-mail-pgpcore-plugin-3.17.6-1.mga7 claws-mail-pgpinline-plugin-3.17.6-1.mga7 claws-mail-pgpmime-plugin-3.17.6-1.mga7 claws-mail-plugins-3.17.6-1.mga7 claws-mail-python-plugin-3.17.6-1.mga7 claws-mail-rssyl-plugin-3.17.6-1.mga7 claws-mail-smime-plugin-3.17.6-1.mga7 claws-mail-spamassassin-plugin-3.17.6-1.mga7 claws-mail-spam_report-plugin-3.17.6-1.mga7 claws-mail-tools-3.17.6-1.mga7 claws-mail-vcalendar-plugin-3.17.6-1.mga7
Assignee: jani.valimaa => qa-bugsCC: (none) => jani.valimaa
Advisory: ======================== Updated claws-mail packages fix security vulnerability: common/session.c in Claws Mail before 3.17.6 has a protocol violation because suffix data after STARTTLS is mishandled (CVE-2020-15917). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15917 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/G7UX65342HRVDQML4G4GEVEUB764EUM5/
MGA7-64 Plasma on Lenovo B50 No installation issues. Tested by configuring claws-mail to use my hotmail account and sending and receiving mails without and with attachment to and from my gmail account on my desktop PC. All OK.
CC: (none) => herman.viaeneWhiteboard: (none) => MGA7-64-OK
Validating. Advisory in Comment 4.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
and package list in Comment 3.
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0321.html
Status: NEW => RESOLVEDResolution: (none) => FIXED