libetpan: Improper STARTTLS handling — GLSA 202007-55

A vulnerability was discovered in libetpan's STARTTLS handling, possibly allowing an integrity/confidentiality compromise.

Affected packages

net-libs/libetpan on all architectures
Affected versions < 1.9.4-r1
Unaffected versions >= 1.9.4-r1

Background

libetpan is a portable, efficient middleware for different kinds of mail access.

Description

It was discovered that libetpan was not properly handling state within the STARTTLS protocol handshake.

Impact

There may be a breach of integrity or confidentiality in connections made using libetpan with STARTTLS.

Workaround

There is no known workaround at this time.

Resolution

All libetpan users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=net-libs/libetpan-1.9.4-r1"
 

References

Release date
July 28, 2020

Latest revision
July 28, 2020: 1

Severity
normal

Exploitable
remote

Bugzilla entries