Fedora has issued an advisory today (September 3): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/NS6CSTOBVO5HSAR3X5CT6DS6QDHXDB26/ The issue is fixed upstream in 3.36.3.1.
Hi, thanks for reporting this bug. As there is no maintainer for this package I added the committers in CC. (Packager: Please set the status to 'assigned' if you are working on it)
CC: (none) => olavKeywords: (none) => TriagedAssignee: bugsquad => pkg-bugs
Suggested advisory: ======================== The updated package fixes a security vulnerability: GNOME Geary before 3.36.3 mishandles pinned TLS certificate verification for IMAP and SMTP services using invalid TLS certificates (e.g., self-signed certificates) when the client system is not configured to use a system-provided PKCS#11 store. This allows a meddler in the middle to present a different invalid certificate to intercept incoming and outgoing mail. (CVE-2020-24661) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24661 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/NS6CSTOBVO5HSAR3X5CT6DS6QDHXDB26/ ======================== Updated package in core/updates_testing: ======================== geary-3.32.1-1.1.mga7 from SRPM: geary-3.32.1-1.1.mga7.src.rpm
CVE: (none) => CVE-2020-24661CC: (none) => nicolas.salgueroAssignee: pkg-bugs => qa-bugsKeywords: Triaged => (none)Status: NEW => ASSIGNED
Testing on M7-GNOME x86_64 Geary-3.32.1-1.mga7 installed. ssl/imap and ssl/smtp set via free.fr provider. Connection OK. Before installing pending update to geary in updates_testing, According to https://gitlab.gnome.org/GNOME/geary/-/issues/866: If there is no read-write PKCS#11 store accessible by GCR (e.g, gnome-keyring-daemon is not installed, the gnome-keyring user PKCS#11 store is not installed or enabled, or gnome-keyring has dropped support for it, again), and an exception for an invalid TLS certificate has previously been allowed by the user for a specific server identity (e.g. the host name/IP address configured for the service), then subsequent connections to the same server identity will be accepted without comparing the certificate presented by the server with the certificate that was originally presented and pinned. Environment must be set to not have gnome-keyring installed. By default, Mageia 7 ships gnome-keyring. This is mitigated. Testing PoC must break GNOME session : # urpme gnome-keyring This wants to uninstall all gnome-session stuff, even mate if installed. Installing pending update does not break functionality. Set flag OK.
CC: (none) => ouaurelien, sysadmin-bugsKeywords: (none) => validated_updateWhiteboard: (none) => MGA7-64-OK
Advisory and packages in Comment 2. Advisory pushed to svn.
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0390.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED