[SECURITY] [DLA 2329-1] libetpan security update

2020-08-1612:00:14

lists.debian.org

debian 9 stretch

starttls response injection

mail library

CVSS2

5.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

CVSS3

7.4

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS

0.013

Percentile

86.1%

JSON

Debian LTS Advisory DLA-2329-1 [email protected]
https://www.debian.org/lts/security/
August 16, 2020 https://wiki.debian.org/LTS

Package : libetpan
Version : 1.6-3+deb9u1
CVE ID : CVE-2020-15953
Debian Bug : 966647

In libEtPan, a mail library, a STARTTLS response injection was
discovered that affects IMAP, SMTP, and POP3.

For Debian 9 stretch, this problem has been fixed in version
1.6-3+deb9u1.

We recommend that you upgrade your libetpan packages.

For the detailed security status of libetpan please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libetpan

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

OSVersionArchitecturePackageVersionFilename
Debian10mipslibetpan20-dbgsym< 1.9.3-2+deb10u1libetpan20-dbgsym_1.9.3-2+deb10u1_mips.deb
Debian9alllibetpan-doc< 1.6-3+deb9u1libetpan-doc_1.6-3+deb9u1_all.deb
Debian9amd64libetpan17< 1.6-3+deb9u1libetpan17_1.6-3+deb9u1_amd64.deb
Debian10arm64libetpan20-dbgsym< 1.9.3-2+deb10u1libetpan20-dbgsym_1.9.3-2+deb10u1_arm64.deb
Debian9armellibetpan-dev< 1.6-3+deb9u1libetpan-dev_1.6-3+deb9u1_armel.deb
Debian9i386libetpan-dev< 1.6-3+deb9u1libetpan-dev_1.6-3+deb9u1_i386.deb
Debian9arm64libetpan-dev< 1.6-3+deb9u1libetpan-dev_1.6-3+deb9u1_arm64.deb
Debian9alllibetpan< 1.6-3+deb9u1libetpan_1.6-3+deb9u1_all.deb
Debian10s390xlibetpan20-dbgsym< 1.9.3-2+deb10u1libetpan20-dbgsym_1.9.3-2+deb10u1_s390x.deb
Debian10amd64libetpan20< 1.9.3-2+deb10u1libetpan20_1.9.3-2+deb10u1_amd64.deb

OS	Version	Architecture	Package	Version	Filename
Debian	10	mips	libetpan20-dbgsym	< 1.9.3-2+deb10u1	libetpan20-dbgsym_1.9.3-2+deb10u1_mips.deb
Debian	9	all	libetpan-doc	< 1.6-3+deb9u1	libetpan-doc_1.6-3+deb9u1_all.deb
Debian	9	amd64	libetpan17	< 1.6-3+deb9u1	libetpan17_1.6-3+deb9u1_amd64.deb
Debian	10	arm64	libetpan20-dbgsym	< 1.9.3-2+deb10u1	libetpan20-dbgsym_1.9.3-2+deb10u1_arm64.deb
Debian	9	armel	libetpan-dev	< 1.6-3+deb9u1	libetpan-dev_1.6-3+deb9u1_armel.deb
Debian	9	i386	libetpan-dev	< 1.6-3+deb9u1	libetpan-dev_1.6-3+deb9u1_i386.deb
Debian	9	arm64	libetpan-dev	< 1.6-3+deb9u1	libetpan-dev_1.6-3+deb9u1_arm64.deb
Debian	9	all	libetpan	< 1.6-3+deb9u1	libetpan_1.6-3+deb9u1_all.deb
Debian	10	s390x	libetpan20-dbgsym	< 1.9.3-2+deb10u1	libetpan20-dbgsym_1.9.3-2+deb10u1_s390x.deb
Debian	10	amd64	libetpan20	< 1.9.3-2+deb10u1	libetpan20_1.9.3-2+deb10u1_amd64.deb