Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 385311 (CVE-2011-3355) - <mail-client/evolution-3.8.5: Sent folder uses insecure connection instead of SSL (CVE-2011-3355)
Summary: <mail-client/evolution-3.8.5: Sent folder uses insecure connection instead of...
Status: RESOLVED FIXED
Alias: CVE-2011-3355
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://bugzilla.gnome.org/show_bug.c...
Whiteboard: A3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2011-10-02 04:30 UTC by Tim Sammut (RETIRED)
Modified: 2015-03-18 17:59 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Tim Sammut (RETIRED) gentoo-dev 2011-10-02 04:30:05 UTC
From the upstream bug at $URL:

Description of problem:

I use a imapx account with TLS security.
When I send a message, I get this error :
[CLIENTBUG] Plaintext authentication disallowed on non-secure (SSL-TLS)
connections.
My mail server is configured to refuse plaintext login on non secure
connection. 
Evolution is correctly configured to use secure connection (I tried with both
TLS and SSL) settings. So after sending a message it seems to ignore this
settings when trying to move the message to the sent folder.


Version-Release number of selected component (if applicable):
evolution-3.0.0-1.fc15

Steps to Reproduce:
1. Use mail server with plaintext login refused on non secure connection
2. Configure imapx account with TLS connection
3. Configure the account to store sent mail on imap server
4. Send mail

Actual results:

Evolution cannot store the mail in sent folder.

Expected results:

Mail stored in imap folder using TLS.

Additional info:

It is also a security risk, because Evolution sends plaintext password though
it is configured not to do so.
Comment 1 Tim Sammut (RETIRED) gentoo-dev 2011-10-02 04:32:00 UTC
Setting whiteboard to [upstream] as the upstream change [1] that corrected the problem is apparently not easily back-ported to the versions we're using.

[1] http://git.gnome.org/browse/evolution-data-server/commit/?id=e0ac4d79705c
Comment 2 Agostino Sarubbo gentoo-dev 2011-10-04 23:15:00 UTC
Hi Tim,

finding more info, I see secunia advisory[1] about it, and:

1)I think that is gnome-extra/evolution-data-server instead of mail-client/evolution
2) This advisory says that is affected 3.x version; sure that also 2.x is affected?


[1]: https://secunia.com/advisories/45941/
Comment 3 Pacho Ramos gentoo-dev 2014-06-01 11:41:37 UTC
I think this is fixed in our part, right?
Comment 4 Pacho Ramos gentoo-dev 2014-06-01 13:15:19 UTC
Fixed in 3.1.2, 3.8.5 was stabilized in bug #478252
Comment 5 Pacho Ramos gentoo-dev 2014-11-11 11:39:16 UTC
(In reply to Pacho Ramos from comment #4)
> Fixed in 3.1.2, 3.8.5 was stabilized in bug #478252

I think nothing more is needed from us... if that is not the case feel free to CC us again :)
Comment 6 Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-12-09 19:36:16 UTC
GLSA Vote: No
Comment 7 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2015-03-18 17:59:50 UTC
GLSA vote: no.

Closing as [noglsa]