Description: "GNOME Geary before 3.36.3 mishandles pinned TLS certificate verification for IMAP and SMTP services using invalid TLS certificates (e.g., self-signed certificates) when the client system is not configured to use a system-provided PKCS#11 store. This allows a meddler in the middle to present a different invalid certificate to intercept incoming and outgoing mail." 3.36.3.1, 3.37.91 just got released with the fix.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0d23fe4045be61ae9fdb084b7ad0e8f035bf5e8a commit 0d23fe4045be61ae9fdb084b7ad0e8f035bf5e8a Author: Mart Raudsepp <leio@gentoo.org> AuthorDate: 2020-08-29 08:26:53 +0000 Commit: Mart Raudsepp <leio@gentoo.org> CommitDate: 2020-08-29 08:27:25 +0000 mail-client/geary: security cleanup Bug: https://bugs.gentoo.org/739174 Package-Manager: Portage-2.3.103, Repoman-2.3.20 Signed-off-by: Mart Raudsepp <leio@gentoo.org> mail-client/geary/Manifest | 1 - mail-client/geary/geary-3.36.2.ebuild | 98 ----------------------------------- 2 files changed, 99 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=498eeae0f6432454823cfda9225edd5e93fd8676 commit 498eeae0f6432454823cfda9225edd5e93fd8676 Author: Mart Raudsepp <leio@gentoo.org> AuthorDate: 2020-08-29 08:12:54 +0000 Commit: Mart Raudsepp <leio@gentoo.org> CommitDate: 2020-08-29 08:27:25 +0000 mail-client/geary: security bump to 3.36.3.1 Bug: https://bugs.gentoo.org/739174 Package-Manager: Portage-2.3.103, Repoman-2.3.20 Signed-off-by: Mart Raudsepp <leio@gentoo.org> mail-client/geary/Manifest | 1 + mail-client/geary/geary-3.36.3.1.ebuild | 99 +++++++++++++++++++++++++++++++++ 2 files changed, 100 insertions(+)
noglsa b/c ~ so closing, thanks!