Your message dated Sat, 05 Mar 2022 22:47:31 +0000
with message-id <[email protected]>
and subject line Bug#966647: fixed in libetpan 1.9.3-2+deb10u1
has caused the Debian Bug report #966647,
regarding libetpan: CVE-2020-15953
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
966647: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=966647
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libetpan
Version: 1.9.4-2
Severity: important
Tags: security upstream
Forwarded: https://github.com/dinhvh/libetpan/issues/386
X-Debbugs-Cc: Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for libetpan.
CVE-2020-15953[0]:
| LibEtPan through 1.9.4, as used in MailCore 2 through 0.6.3 and other
| products, has a STARTTLS buffering issue that affects IMAP, SMTP, and
| POP3. When a server sends a "begin TLS" response, the client reads
| additional data (e.g., from a meddler-in-the-middle attacker) and
| evaluates it in a TLS context, aka "response injection."
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-15953
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15953
[1] https://github.com/dinhvh/libetpan/issues/386
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libetpan
Source-Version: 1.9.3-2+deb10u1
Done: Adrian Bunk <[email protected]>
We believe that the bug you reported is fixed in the latest version of
libetpan, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Adrian Bunk <[email protected]> (supplier of updated libetpan package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 16 Jan 2022 13:49:07 +0200
Source: libetpan
Architecture: source
Version: 1.9.3-2+deb10u1
Distribution: buster
Urgency: medium
Maintainer: Ricardo Mones <[email protected]>
Changed-By: Adrian Bunk <[email protected]>
Closes: 966647
Changes:
libetpan (1.9.3-2+deb10u1) buster; urgency=medium
.
* Non-maintainer upload.
* CVE-2020-15953: STARTTLS response injection that
affects IMAP, SMTP, and POP3. (Closes: #966647)
Checksums-Sha1:
a0e6b8e138e802a1650d73d0869dc017cfd8dbb9 2151 libetpan_1.9.3-2+deb10u1.dsc
ee35e04126d73874eabcc6489c8512263b8d7fcf 23672
libetpan_1.9.3-2+deb10u1.debian.tar.xz
Checksums-Sha256:
367104ce7951d4464e158cd1f9e3c8fbf78d11f6e13412c4f3b1e75f52b9c9f2 2151
libetpan_1.9.3-2+deb10u1.dsc
aea9e638420282d1ac29c537aedd7df6334b4123e23e6529656118780b12c038 23672
libetpan_1.9.3-2+deb10u1.debian.tar.xz
Files:
e5d140f3d51c0a5535096a91a1889988 2151 mail optional
libetpan_1.9.3-2+deb10u1.dsc
f01ca1438b4ee96d35b5ebab7311a056 23672 mail optional
libetpan_1.9.3-2+deb10u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmHkB94ACgkQiNJCh6LY
mLG/zxAAsHQFpuSagzJVn7+gWlKAXa9nppwz5890HFMha33JSdY/AWdo50D/eO7l
/WW9kkrFTwJ3XWqSnl7SqmtRFwEt2qBk9VuTEvp0HOt3mI94RANbREiO8AJhAj0O
Qs2Jp7DnfSstwzkLsEyWuKrBuhoJoqIPUXuNRLxb5qyPGf1br4eHFjXAcnD8PDBx
k4oMuU4a4mcCBpOvUZZ4b/T86byfF8/JUqUOK/HGja7jiH1I3sEPFRTqnQi2v8J1
gQvPdQ10Zje5AF4UOiZfMH/t6I8Kxn0EliYNPWzmetiCPkAx/sYRmwoVkA2UsO14
20HZPFGHbHc9o8ydv2umVoLwzJ4VBFdRhP1H3aeSRQrgJ3Y4oDR5RqJ1WRbH1hCu
CTgLhRCUSQPVRaCkcts5KZDk9IrkK0yJRmb8ZctRC4NJJ3rhArbNuEL38RJn/S8h
tGV8dpZKVkgD0F+YGzmUqqYM1nwPqMcJTtpgz+PXepqLtJjwY1pSk3Ot2caabiz2
0ysivHANriJxzfsGU+z9qeKljUx+3PLqzWTI6FqsfBtDJzcc7yZWLhWcyvQDXAuS
unnUeYdjZSONtwZ6jZkXVOJqgRXDPqRSnR/reKET4WsJ0DgJ2wRBFAashcuE4SxC
Ttet8iDv1T/NMkGwtG/LX03+MUEbtZ1pq9dKPqJ2BxfBG0xLsA8=
=qr/s
-----END PGP SIGNATURE-----
--- End Message ---