Bug 27168 - libetpan new security issue CVE-2020-15953
Summary: libetpan new security issue CVE-2020-15953
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: Mageia 7
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2020-08-21 20:46 CEST by David Walser
Modified: 2020-09-15 13:47 CEST (History)
4 users (show)

See Also:
Source RPM: libetpan-1.9.3-1.mga7.src.rpm
CVE: CVE-2020-15953
Status comment:


Attachments

Description David Walser 2020-08-21 20:46:22 CEST
Debian-LTS has issued an advisory on August 16:
https://www.debian.org/lts/security/2020/dla-2329

Mageia 7 is also affected.
David Walser 2020-08-21 20:46:30 CEST

Whiteboard: (none) => MGA7TOO

Comment 1 Lewis Smith 2020-08-21 20:50:59 CEST
libetpan has no evident maintainer, so have to assign this globally.

Assignee: bugsquad => pkg-bugs

Comment 2 David Walser 2020-08-21 23:37:16 CEST
Fedora has issued an advisory for this on August 19:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/QFBWNA5REI5ZGW2DAOEAVHM23MOU6O5J/
Comment 3 Nicolas Salguero 2020-09-02 09:05:05 CEST
Suggested advisory:
========================

The updated packages fix a security vulnerability:

LibEtPan through 1.9.4, as used in MailCore 2 through 0.6.3 and other products, has a STARTTLS buffering issue that affects IMAP, SMTP, and POP3. When a server sends a "begin TLS" response, the client reads additional data (e.g., from a meddler-in-the-middle attacker) and evaluates it in a TLS context, aka "response injection". (CVE-2020-15953)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15953
https://www.debian.org/lts/security/2020/dla-2329
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/QFBWNA5REI5ZGW2DAOEAVHM23MOU6O5J/
========================

Updated packages in core/updates_testing:
========================
lib(64)etpan20-1.9.3-1.1.mga7
lib(64)etpan-devel-1.9.3-1.1.mga7

from SRPM:
libetpan-1.9.3-1.1.mga7.src.rpm

Assignee: pkg-bugs => qa-bugs
Source RPM: libetpan-1.9.4-3.mga8.src.rpm => libetpan-1.9.3-1.mga7.src.rpm
Status: NEW => ASSIGNED
CVE: (none) => CVE-2020-15953
Whiteboard: MGA7TOO => (none)
CC: (none) => nicolas.salguero
Version: Cauldron => 7

Comment 4 Herman Viaene 2020-09-14 14:17:40 CEST
MGA7-64 Plasma on Lenovo B50
No installation issues.
Ref bug 20809, using claws-mail to test.
Sending to and receiving mail with and without attachment between hotmail account on this laptop with claws-mail and gmail account on my desktop with thunderbird. All works OK.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => herman.viaene

David Walser 2020-09-14 18:58:42 CEST

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update

Aurelien Oudelet 2020-09-14 21:34:05 CEST

CC: (none) => ouaurelien
Target Milestone: --- => Mageia 7
Keywords: (none) => advisory

Comment 5 Mageia Robot 2020-09-15 13:47:02 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0366.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.