Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 728822 (CVE-2020-14929) - <mail-client/alpine-2.23: Fails to upgrade to secure TLS connection (STARTTLS) (CVE-2020-14929)
Summary: <mail-client/alpine-2.23: Fails to upgrade to secure TLS connection (STARTTLS...
Status: RESOLVED FIXED
Alias: CVE-2020-14929
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://mailman13.u.washington.edu/pip...
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks: 807352
  Show dependency tree
 
Reported: 2020-06-19 19:57 UTC by Sam James
Modified: 2021-08-10 20:05 UTC (History)
2 users (show)

See Also:
Package list:
=mail-client/alpine-2.23
Runtime testing required: ---
nattka: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-19 19:57:27 UTC
Description:
"Alpine can be configured to start a secure connection using /tls on
an insecure connection. However, if the connection is PREAUTH,
Alpine will not upgrade the connection to a secure connection,
because a client must not issue a STARTTLS to a server that supports
it, while in authenticated state. 

This makes Alpine continue to use
an insecure connection with the server, exposing user data. Reported
by Damian Poddebniak and Fabian Ising from Münster University of
Applied Sciences. "
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-20 00:41:00 UTC
@maintainer(s), ready to stable?
Comment 3 Robert G. Siebeck 2020-06-22 12:34:20 UTC
(In reply to Sam James (sec padawan) from comment #2)
> @maintainer(s), ready to stable?

Yes. Do we need a separate bug for this?
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-22 20:41:22 UTC
(In reply to Robert G. Siebeck from comment #3)
> (In reply to Sam James (sec padawan) from comment #2)
> > @maintainer(s), ready to stable?
> 
> Yes. Do we need a separate bug for this?

No, we just do it inline for security bugs. Thanks!
Comment 5 Agostino Sarubbo gentoo-dev 2020-06-25 07:02:42 UTC
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2020-06-28 20:33:57 UTC
ppc stable
Comment 7 Agostino Sarubbo gentoo-dev 2020-06-28 20:45:52 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 8 Larry the Git Cow gentoo-dev 2020-07-01 23:39:15 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fa7d3b2811cf710b2c29cce480fa2132e186f8f8

commit fa7d3b2811cf710b2c29cce480fa2132e186f8f8
Author:     Robert Siebeck <gentoo.2019@r123.de>
AuthorDate: 2020-06-29 22:01:16 +0000
Commit:     Aaron Bauman <bman@gentoo.org>
CommitDate: 2020-07-01 23:38:52 +0000

    mail-client/alpine: remove old versions
    
    Bug: https://bugs.gentoo.org/728822
    
    Signed-off-by: Robert Siebeck <gentoo.2019@r123.de>
    Closes: https://github.com/gentoo/gentoo/pull/16500
    Signed-off-by: Aaron Bauman <bman@gentoo.org>

 mail-client/alpine/Manifest                        |  2 -
 mail-client/alpine/alpine-2.22-r1.ebuild           | 94 ----------------------
 mail-client/alpine/alpine-2.22.ebuild              | 90 ---------------------
 mail-client/alpine/files/alpine-2.22-cc.patch      | 24 ------
 .../alpine/files/alpine-2.22-fno-common.patch      | 19 -----
 5 files changed, 229 deletions(-)
Comment 9 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2020-07-01 23:40:14 UTC
GLSA Vote: No