Description: "common/session.c in Claws Mail before 3.17.6 has a protocol violation because suffix data after STARTTLS is mishandled." The main issue here (similar to other recent problems in mail clients) is that an attacker could inject commands even after the client believes TLS is being used.
Ready to stable?
amd64 stable
x86 stable. Please cleanup.
GLSA vote: yes
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7c80d0119b53394265b092f29823dd63cc9dd440 commit 7c80d0119b53394265b092f29823dd63cc9dd440 Author: Lars Wendler <polynomial-c@gentoo.org> AuthorDate: 2020-07-27 17:13:15 +0000 Commit: Lars Wendler <polynomial-c@gentoo.org> CommitDate: 2020-07-27 17:13:15 +0000 mail-client/claws-mail: Security cleanup Bug: https://bugs.gentoo.org/733684 Package-Manager: Portage-3.0.1, Repoman-2.3.23 Signed-off-by: Lars Wendler <polynomial-c@gentoo.org> mail-client/claws-mail/Manifest | 1 - mail-client/claws-mail/claws-mail-3.17.5-r1.ebuild | 224 --------------------- 2 files changed, 225 deletions(-)
This issue was resolved and addressed in GLSA 202007-56 at https://security.gentoo.org/glsa/202007-56 by GLSA coordinator Sam James (sam_c).