CVE-2020-15953

LibEtPan through 1.9.4, as used in MailCore 2 through 0.6.3 and other products, has a STARTTLS buffering issue that affects IMAP, SMTP, and POP3. When a server sends a "begin TLS" response, the client reads additional data (e.g., from a meddler-in-the-middle attacker) and evaluates it in a TLS context, aka "response injection."

References

Affected packages

Debian:11 / libetpan

Package

Name: libetpan
Purl: pkg:deb/debian/libetpan?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.9.4-3

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / libetpan

Package

Name: libetpan
Purl: pkg:deb/debian/libetpan?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.9.4-3

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / libetpan

Package

Name: libetpan
Purl: pkg:deb/debian/libetpan?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.9.4-3

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/dinhvh/libetpan

Affected ranges

Type: GIT
Repo: https://github.com/dinhvh/libetpan
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

a6e6fb1b9d298c690db2eafb48a853e5b26c68d5

Type: GIT
Repo: https://github.com/mailcore/mailcore2
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

908b76857254dddfb07a74dd0e407e10d0900dd5

Affected versions

0.*

0.1

0.2

0.2.pre1

0.3.pre1

0.5

0.5.1

0.6

0.6.1

0.6.2

0.6.3

1.*

1.2

1.2.pre1

1.3.pre1

1.3.pre2

1.4

1.4.1

1.5

1.6

1.7

1.7.2

1.8

1.9

1.9.1

1.9.2

1.9.3

1.9.4