Description: "Alpine can be configured to start a secure connection using /tls on an insecure connection. However, if the connection is PREAUTH, Alpine will not upgrade the connection to a secure connection, because a client must not issue a STARTTLS to a server that supports it, while in authenticated state. This makes Alpine continue to use an insecure connection with the server, exposing user data. Reported by Damian Poddebniak and Fabian Ising from Münster University of Applied Sciences. "
Fixed in 2.23: http://mailman13.u.washington.edu/pipermail/alpine-info/2020-June/008992.html.
@maintainer(s), ready to stable?
(In reply to Sam James (sec padawan) from comment #2) > @maintainer(s), ready to stable? Yes. Do we need a separate bug for this?
(In reply to Robert G. Siebeck from comment #3) > (In reply to Sam James (sec padawan) from comment #2) > > @maintainer(s), ready to stable? > > Yes. Do we need a separate bug for this? No, we just do it inline for security bugs. Thanks!
amd64 stable
ppc stable
x86 stable. Maintainer(s), please cleanup. Security, please vote.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fa7d3b2811cf710b2c29cce480fa2132e186f8f8 commit fa7d3b2811cf710b2c29cce480fa2132e186f8f8 Author: Robert Siebeck <gentoo.2019@r123.de> AuthorDate: 2020-06-29 22:01:16 +0000 Commit: Aaron Bauman <bman@gentoo.org> CommitDate: 2020-07-01 23:38:52 +0000 mail-client/alpine: remove old versions Bug: https://bugs.gentoo.org/728822 Signed-off-by: Robert Siebeck <gentoo.2019@r123.de> Closes: https://github.com/gentoo/gentoo/pull/16500 Signed-off-by: Aaron Bauman <bman@gentoo.org> mail-client/alpine/Manifest | 2 - mail-client/alpine/alpine-2.22-r1.ebuild | 94 ---------------------- mail-client/alpine/alpine-2.22.ebuild | 90 --------------------- mail-client/alpine/files/alpine-2.22-cc.patch | 24 ------ .../alpine/files/alpine-2.22-fno-common.patch | 19 ----- 5 files changed, 229 deletions(-)
GLSA Vote: No