Bugzilla – Bug 1189316
VUL-1: CVE-2021-38370: alpine: In Alpine through 2.24, untagged responses from an IMAP server are accepted before STARTTLS.
Last modified: 2022-09-16 09:48:57 UTC
CVE-2021-38370 In Alpine through 2.24, untagged responses from an IMAP server are accepted before STARTTLS. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-38370 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38370 https://alpine.x10host.com https://nostarttls.secvuln.info
This was apparently already fixed in 2.25, but the respective changelog entry did not explicitly mention STARTTLS, so it went unnoticed: https://alpineapp.email/alpine/release/alpine-2.25.html "Bugs that have been addressed include: * The c-client library parses information from an IMAP server during non-authenticated state which could lead to denial of service. Reported by Damian Poddebniak from Münster University of Applied Sciences." This means we already have fixed packages in Tumbleweed and openSUSE:Backports:SLE-15-SP4:Update, but there are still affected versions in openSUSE:Backports:SLE-15-SP3:Update (2.24) and openSUSE:Backports:SLE-12 (2.20). Shall we fix these two code streams as well or is it not needed?
This is an autogenerated message for OBS integration: This bug (1189316) was mentioned in https://build.opensuse.org/request/show/1002258 Factory / alpine
we can just do a version update on backports if that stays kind of compatible.