"common/session.c in Claws Mail before 3.17.6 has a protocol violation because suffix data after STARTTLS is mishandled."
The main issue here (similar to other recent problems in mail clients) is that an attacker could inject commands even after the client believes TLS is being used.
Ready to stable?
x86 stable. Please cleanup.
GLSA vote: yes
The bug has been referenced in the following commit(s):
Author: Lars Wendler <email@example.com>
AuthorDate: 2020-07-27 17:13:15 +0000
Commit: Lars Wendler <firstname.lastname@example.org>
CommitDate: 2020-07-27 17:13:15 +0000
mail-client/claws-mail: Security cleanup
Package-Manager: Portage-3.0.1, Repoman-2.3.23
Signed-off-by: Lars Wendler <email@example.com>
mail-client/claws-mail/Manifest | 1 -
mail-client/claws-mail/claws-mail-3.17.5-r1.ebuild | 224 ---------------------
2 files changed, 225 deletions(-)
This issue was resolved and addressed in
GLSA 202007-56 at https://security.gentoo.org/glsa/202007-56
by GLSA coordinator Sam James (sam_c).