"Alpine can be configured to start a secure connection using /tls on
an insecure connection. However, if the connection is PREAUTH,
Alpine will not upgrade the connection to a secure connection,
because a client must not issue a STARTTLS to a server that supports
it, while in authenticated state.
This makes Alpine continue to use
an insecure connection with the server, exposing user data. Reported
by Damian Poddebniak and Fabian Ising from Münster University of
Applied Sciences. "
Fixed in 2.23: http://mailman13.u.washington.edu/pipermail/alpine-info/2020-June/008992.html.
@maintainer(s), ready to stable?
(In reply to Sam James (sec padawan) from comment #2)
> @maintainer(s), ready to stable?
Yes. Do we need a separate bug for this?
(In reply to Robert G. Siebeck from comment #3)
> (In reply to Sam James (sec padawan) from comment #2)
> > @maintainer(s), ready to stable?
> Yes. Do we need a separate bug for this?
No, we just do it inline for security bugs. Thanks!
Maintainer(s), please cleanup.
Security, please vote.
The bug has been referenced in the following commit(s):
Author: Robert Siebeck <email@example.com>
AuthorDate: 2020-06-29 22:01:16 +0000
Commit: Aaron Bauman <firstname.lastname@example.org>
CommitDate: 2020-07-01 23:38:52 +0000
mail-client/alpine: remove old versions
Signed-off-by: Robert Siebeck <email@example.com>
Signed-off-by: Aaron Bauman <firstname.lastname@example.org>
mail-client/alpine/Manifest | 2 -
mail-client/alpine/alpine-2.22-r1.ebuild | 94 ----------------------
mail-client/alpine/alpine-2.22.ebuild | 90 ---------------------
mail-client/alpine/files/alpine-2.22-cc.patch | 24 ------
.../alpine/files/alpine-2.22-fno-common.patch | 19 -----
5 files changed, 229 deletions(-)
GLSA Vote: No