Bug 1173910 (CVE-2020-14928) - VUL-0: CVE-2020-14928: evolution-data-server: Response Injection via STARTTLS in SMTP and POP3
Summary: VUL-0: CVE-2020-14928: evolution-data-server: Response Injection via STARTTLS...
Status: RESOLVED FIXED
Alias: CVE-2020-14928
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/263007/
Whiteboard: CVSSv3.1:SUSE:CVE-2020-14928:5.3:(AV:...
Keywords:
Depends on:
Blocks: NOSTARTTLS
  Show dependency treegraph
 
Reported: 2020-07-08 17:08 UTC by Alexandros Toptsoglou
Modified: 2021-08-09 11:41 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexandros Toptsoglou 2020-07-08 17:08:43 UTC
CVE-2020-14928

Response Injection via STARTTLS in SMTP and POP3

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14928
http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-14928.html
Comment 1 Alexandros Toptsoglou 2020-07-08 17:11:31 UTC
Related commits at [1] and [2]. Upstream issue at [3].
Tracked as affected SLE12-SP3 SLE15 and and SLE15-SP2. It seems that version 2.X in SLE11-SP1 and SP3 is not affected but your feedback is also appreciated. No POC available


[1] https://gitlab.gnome.org/GNOME/evolution-data-server/-/commit/f404f33fb01b23903c2bbb16791c7907e457fbac
[2] https://gitlab.gnome.org/GNOME/evolution-data-server/-/commit/b74b765188d96803814acf69a510a7160d9ee6c5
[3]https://gitlab.gnome.org/GNOME/evolution-data-server/-/issues/226
Comment 3 Swamp Workflow Management 2021-03-19 20:59:07 UTC
SUSE-SU-2021:0891-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1173910,1174712,1182882
CVE References: CVE-2020-14928,CVE-2020-16117
JIRA References: 
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP5 (src):    evolution-data-server-3.22.7-18.7.1
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    evolution-data-server-3.22.7-18.7.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 4 Swamp Workflow Management 2021-03-19 21:06:38 UTC
SUSE-SU-2021:0885-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1173910,1174712,1182882
CVE References: CVE-2020-14928,CVE-2020-16117
JIRA References: 
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP5 (src):    evolution-data-server-3.20.6-17.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 5 Swamp Workflow Management 2021-03-24 17:18:01 UTC
SUSE-SU-2021:0949-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1173910,1174712,1182882
CVE References: CVE-2020-14928,CVE-2020-16117
JIRA References: 
Sources used:
SUSE Linux Enterprise Workstation Extension 15-SP2 (src):    evolution-data-server-3.34.4-3.3.1, evolution-ews-3.34.4-3.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 6 Swamp Workflow Management 2021-03-27 23:16:37 UTC
openSUSE-SU-2021:0482-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1173910,1174712,1182882
CVE References: CVE-2020-14928,CVE-2020-16117
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    evolution-data-server-3.34.4-lp152.2.3.1, evolution-ews-3.34.4-lp152.2.3.1
Comment 7 Marcus Meissner 2021-08-09 11:41:10 UTC
released