Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 807613 (CVE-2021-38370)

Summary: mail-client/alpine: STARTTLS vulnerabilities (CVE-2021-38370)
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: CONFIRMED ---    
Severity: minor CC: gentoo.2019, proxy-maint
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://nostarttls.secvuln.info
See Also: https://bugs.gentoo.org/show_bug.cgi?id=728822
Whiteboard: B3 [ebuild]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 807352    

Description John Helmert III gentoo-dev Security 2021-08-10 20:04:32 UTC
CVE-2021-38370:

In Alpine through 2.24, untagged responses from an IMAP server are accepted before STARTTLS.

There's also an issue described on the NO STARTTLS website that says "Crash
when LIST or LSUB send before STARTTLS". Both the status of this issue and the
CVE are "Unknown (reported via email).
Comment 1 John Helmert III gentoo-dev Security 2021-08-10 20:05:32 UTC
The vulnerability described in this bug was also in the NO STARTTLS report.