Bugzilla – Bug 1189316
VUL-1: CVE-2021-38370: alpine: In Alpine through 2.24, untagged responses from an IMAP server are accepted before STARTTLS.
Last modified: 2022-09-16 09:48:57 UTC
In Alpine through 2.24, untagged responses from an IMAP server are accepted
This was apparently already fixed in 2.25, but the respective changelog entry did not explicitly mention STARTTLS, so it went unnoticed:
"Bugs that have been addressed include:
* The c-client library parses information from an IMAP server during non-authenticated state which could lead to denial of service. Reported by Damian Poddebniak from Münster University of Applied Sciences."
This means we already have fixed packages in Tumbleweed and openSUSE:Backports:SLE-15-SP4:Update, but there are still affected versions in openSUSE:Backports:SLE-15-SP3:Update (2.24) and openSUSE:Backports:SLE-12 (2.20).
Shall we fix these two code streams as well or is it not needed?
This is an autogenerated message for OBS integration:
This bug (1189316) was mentioned in
https://build.opensuse.org/request/show/1002258 Factory / alpine
we can just do a version update on backports if that stays kind of compatible.