CVE-2020-15953: LibEtPan through 1.9.4, as used in MailCore 2 through 0.6.3 and other products, has a STARTTLS buffering issue that affects IMAP, SMTP, and POP3. When a server sends a "begin TLS" response, the client reads additional data (e.g., from a meddler-in-the-middle attacker) and evaluates it in a TLS context, aka "response injection." There appears to be a patch: https://github.com/dinhvh/libetpan/pull/388
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d7fe2e20aa1d6cecd9b076e4f0bbe06911576c66 commit d7fe2e20aa1d6cecd9b076e4f0bbe06911576c66 Author: Lars Wendler <polynomial-c@gentoo.org> AuthorDate: 2020-07-27 18:29:18 +0000 Commit: Lars Wendler <polynomial-c@gentoo.org> CommitDate: 2020-07-27 18:30:34 +0000 net-libs/libetpan: Security revbump to fix CVE-2020-15953 Bug: https://bugs.gentoo.org/734130 Package-Manager: Portage-3.0.1, Repoman-2.3.23 Signed-off-by: Lars Wendler <polynomial-c@gentoo.org> .../files/libetpan-1.9.4-CVE-2020-15953.patch | 86 ++++++++++++++++++++++ net-libs/libetpan/libetpan-1.9.4-r1.ebuild | 78 ++++++++++++++++++++ 2 files changed, 164 insertions(+)
GLSA vote: yes
x86 stable
amd64 stable
This issue was resolved and addressed in GLSA 202007-55 at https://security.gentoo.org/glsa/202007-55 by GLSA coordinator Sam James (sam_c).
Reopening for remaining arches.
sparc stable
ppc64 stable
ppc stable
hppa stable. Last arch, closing.
Ups, sorry.
(In reply to Rolf Eike Beer from comment #11) > Ups, sorry. No worries. Please cleanup.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8bd0471b2367f4fa7a9f12bf333178b4f7e33f90 commit 8bd0471b2367f4fa7a9f12bf333178b4f7e33f90 Author: Lars Wendler <polynomial-c@gentoo.org> AuthorDate: 2020-07-30 21:15:03 +0000 Commit: Lars Wendler <polynomial-c@gentoo.org> CommitDate: 2020-07-30 21:15:33 +0000 net-libs/libetpan: Security cleanup Bug: https://bugs.gentoo.org/734130 Package-Manager: Portage-3.0.1, Repoman-2.3.23 Signed-off-by: Lars Wendler <polynomial-c@gentoo.org> net-libs/libetpan/Manifest | 1 - .../files/libetpan-1.9.3-missing-stddev_h.patch | 30 --------- net-libs/libetpan/libetpan-1.9.3.ebuild | 77 ---------------------- net-libs/libetpan/libetpan-1.9.4.ebuild | 77 ---------------------- 4 files changed, 185 deletions(-)
Thanks everyone! All done, closing.