Your message dated Sat, 26 Mar 2022 12:02:22 +0000 with message-id <540de30a27d37c3ff416b94b1adf7ff2a2cab257.ca...@adam-barratt.org.uk> and subject line Closing requests for updates in 10.12 has caused the Debian Bug report #1003825, regarding buster-pu: package libetpan/1.9.3-2+deb10u1 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1003825: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1003825 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: release.debian.org Severity: normal Tags: buster User: release.debian....@packages.debian.org Usertags: pu * CVE-2020-15953: STARTTLS response injection that affects IMAP, SMTP, and POP3. (Closes: #966647)diff -Nru libetpan-1.9.3/debian/changelog libetpan-1.9.3/debian/changelog --- libetpan-1.9.3/debian/changelog 2019-05-07 00:27:54.000000000 +0300 +++ libetpan-1.9.3/debian/changelog 2022-01-16 13:49:07.000000000 +0200 @@ -1,3 +1,11 @@ +libetpan (1.9.3-2+deb10u1) buster; urgency=medium + + * Non-maintainer upload. + * CVE-2020-15953: STARTTLS response injection that + affects IMAP, SMTP, and POP3. (Closes: #966647) + + -- Adrian Bunk <b...@debian.org> Sun, 16 Jan 2022 13:49:07 +0200 + libetpan (1.9.3-2) unstable; urgency=high * debian/patches/90_fix_tls_timeout.diff diff -Nru libetpan-1.9.3/debian/patches/0001-Detect-extra-data-after-STARTTLS-response-and-exit-3.patch libetpan-1.9.3/debian/patches/0001-Detect-extra-data-after-STARTTLS-response-and-exit-3.patch --- libetpan-1.9.3/debian/patches/0001-Detect-extra-data-after-STARTTLS-response-and-exit-3.patch 1970-01-01 02:00:00.000000000 +0200 +++ libetpan-1.9.3/debian/patches/0001-Detect-extra-data-after-STARTTLS-response-and-exit-3.patch 2022-01-16 13:48:27.000000000 +0200 @@ -0,0 +1,30 @@ +From a6ab2983e53795b62b3158ddfe114dfaea1a1d17 Mon Sep 17 00:00:00 2001 +From: Damian Poddebniak <due...@users.noreply.github.com> +Date: Fri, 24 Jul 2020 19:39:53 +0200 +Subject: Detect extra data after STARTTLS response and exit (#387) + +--- + src/low-level/imap/mailimap.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/src/low-level/imap/mailimap.c b/src/low-level/imap/mailimap.c +index 989e20a..df17e27 100644 +--- a/src/low-level/imap/mailimap.c ++++ b/src/low-level/imap/mailimap.c +@@ -2422,6 +2422,13 @@ int mailimap_starttls(mailimap * session) + + mailimap_response_free(response); + ++ // Detect if the server send extra data after the STARTTLS response. ++ // This *may* be a "response injection attack". ++ if (session->imap_stream->read_buffer_len != 0) { ++ // Since it is also an IMAP protocol violation, exit. ++ return MAILIMAP_ERROR_STARTTLS; ++ } ++ + switch (error_code) { + case MAILIMAP_RESP_COND_STATE_OK: + return MAILIMAP_NO_ERROR; +-- +2.20.1 + diff -Nru libetpan-1.9.3/debian/patches/0002-Detect-extra-data-after-STARTTLS-responses-in-SMTP-a.patch libetpan-1.9.3/debian/patches/0002-Detect-extra-data-after-STARTTLS-responses-in-SMTP-a.patch --- libetpan-1.9.3/debian/patches/0002-Detect-extra-data-after-STARTTLS-responses-in-SMTP-a.patch 1970-01-01 02:00:00.000000000 +0200 +++ libetpan-1.9.3/debian/patches/0002-Detect-extra-data-after-STARTTLS-responses-in-SMTP-a.patch 2022-01-16 13:48:27.000000000 +0200 @@ -0,0 +1,55 @@ +From 586db9d030f397a48c7b0008dffe25da582251f3 Mon Sep 17 00:00:00 2001 +From: Fabian Ising <murg...@users.noreply.github.com> +Date: Fri, 24 Jul 2020 19:40:48 +0200 +Subject: Detect extra data after STARTTLS responses in SMTP and POP3 and exit + (#388) + +* Detect extra data after STLS response and return error + +* Detect extra data after SMTP STARTTLS response and return error +--- + src/low-level/pop3/mailpop3.c | 8 ++++++++ + src/low-level/smtp/mailsmtp.c | 8 ++++++++ + 2 files changed, 16 insertions(+) + +diff --git a/src/low-level/pop3/mailpop3.c b/src/low-level/pop3/mailpop3.c +index ab9535b..e2124bf 100644 +--- a/src/low-level/pop3/mailpop3.c ++++ b/src/low-level/pop3/mailpop3.c +@@ -959,6 +959,14 @@ int mailpop3_stls(mailpop3 * f) + + if (r != RESPONSE_OK) + return MAILPOP3_ERROR_STLS_NOT_SUPPORTED; ++ ++ // Detect if the server send extra data after the STLS response. ++ // This *may* be a "response injection attack". ++ if (f->pop3_stream->read_buffer_len != 0) { ++ // Since it is also protocol violation, exit. ++ // There is no error type for STARTTLS errors in POP3 ++ return MAILPOP3_ERROR_SSL; ++ } + + return MAILPOP3_NO_ERROR; + } +diff --git a/src/low-level/smtp/mailsmtp.c b/src/low-level/smtp/mailsmtp.c +index 2f3b40e..c967511 100644 +--- a/src/low-level/smtp/mailsmtp.c ++++ b/src/low-level/smtp/mailsmtp.c +@@ -1108,6 +1108,14 @@ int mailesmtp_starttls(mailsmtp * session) + return MAILSMTP_ERROR_STREAM; + r = read_response(session); + ++ // Detect if the server send extra data after the STARTTLS response. ++ // This *may* be a "response injection attack". ++ if (session->stream->read_buffer_len != 0) { ++ // Since it is also protocol violation, exit. ++ // There is no general error type for STARTTLS errors in SMTP ++ return MAILSMTP_ERROR_SSL; ++ } ++ + switch (r) { + case 220: + return MAILSMTP_NO_ERROR; +-- +2.20.1 + diff -Nru libetpan-1.9.3/debian/patches/series libetpan-1.9.3/debian/patches/series --- libetpan-1.9.3/debian/patches/series 2019-05-07 00:27:54.000000000 +0300 +++ libetpan-1.9.3/debian/patches/series 2022-01-16 13:49:05.000000000 +0200 @@ -2,3 +2,5 @@ 11_use_openjade.diff 12_add_dummy_readme.diff 90_fix_tls_timeout.diff +0001-Detect-extra-data-after-STARTTLS-response-and-exit-3.patch +0002-Detect-extra-data-after-STARTTLS-responses-in-SMTP-a.patch
--- End Message ---
--- Begin Message ---Package: release.debian.org Version: 10.12 Hi, The updates referenced in these requests were included in oldstable as part of today's 10.12 point release. Regards, Adam
--- End Message ---
