alpine: CVE-2020-14929

Debian Bug report logs - #963179
alpine: CVE-2020-14929

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: alpine: CVE-2020-14929

Date: Sat, 20 Jun 2020 07:45:15 +0200

Source: alpine
Version: 2.22+dfsg1-1
Severity: important
Tags: security upstream
Control: found -1 2.21+dfsg1-1.1
Control: found -1 2.20+dfsg1-7

Hi,

The following vulnerability was published for alpine.

CVE-2020-14929[0]:
| Alpine before 2.23 silently proceeds to use an insecure connection
| after a /tls is sent in certain circumstances involving PREAUTH, which
| is a less secure behavior than the alternative of closing the
| connection and letting the user decide what they would like to do.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2020-14929
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14929
[1] https://repo.or.cz/alpine.git/commit/000edd9036b6aea5e6a06900ecd6c58faec665ab
[2] http://mailman13.u.washington.edu/pipermail/alpine-info/2020-June/008989.html

Regards,
Salvatore

Message #14 received at 963179-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

To: 963179-close@bugs.debian.org

Subject: Bug#963179: fixed in alpine 2.23+dfsg1-1

Date: Sat, 20 Jun 2020 07:48:38 +0000

Source: alpine
Source-Version: 2.23+dfsg1-1
Done: Unit 193 <unit193@debian.org>

We believe that the bug you reported is fixed in the latest version of
alpine, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 963179@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Unit 193 <unit193@debian.org> (supplier of updated alpine package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA384

Format: 1.8
Date: Sat, 20 Jun 2020 03:19:39 -0400
Source: alpine
Architecture: source
Version: 2.23+dfsg1-1
Distribution: unstable
Urgency: medium
Maintainer: Asheesh Laroia <asheesh@asheesh.org>
Changed-By: Unit 193 <unit193@debian.org>
Closes: 956361 963179
Changes:
 alpine (2.23+dfsg1-1) unstable; urgency=medium
 .
   * New upstream version 2.23+dfsg1.
     - Security Bug: Alpine can be configured to start a secure connection using
       /tls on an insecure connection. However, if the connection is PREAUTH,
       Alpine will not upgrade the connection to a secure connection, because
       a client must not issue a STARTTLS to a server that supports it in
       authenticated state. This makes Alpine continue to use an insecure
       connection with the server, exposing user data. Reported by Damian
       Poddebniak and Fabian Ising from Münster University of Applied Sciences.
       Closes: #963179, CVE-2020-14929
     - Attempt to fix a bug that breaks scrolling of a message in
       Alpine when the screen is resized. (Closes: #956361)
   * d/control, d/copyright: Update my email address.
   * d/control:
     - Bump DH compat to 13.
     - Drop versioned B-D on dpkg-dev, no longer needed.
Checksums-Sha1:
 419168a5d145ed78738fdc27e359302a474b71b1 2184 alpine_2.23+dfsg1-1.dsc
 d67ca12377a95366e10ee4c557d2e6a69a045999 4420640 alpine_2.23+dfsg1.orig.tar.xz
 1e9db3b064bd593b6183e1dfecf08d6dd409ba6b 15496 alpine_2.23+dfsg1-1.debian.tar.xz
 923b0c41fc933d510d3e3927f5cbd3540c6a7fbc 8204 alpine_2.23+dfsg1-1_amd64.buildinfo
Checksums-Sha256:
 b77090d6d08b7581c74b923c08269bfbf0fbec4a5cdd9704382ca656eb8ac49f 2184 alpine_2.23+dfsg1-1.dsc
 b9799c9a11c9aaf3d0fd6dd0b4b1b57406f8da6d788a80ad90c2139fdbbccf81 4420640 alpine_2.23+dfsg1.orig.tar.xz
 a153bd6c4547cf3d8dc32d319a725cc1896a9f52887e18e38d7958b72abdbc33 15496 alpine_2.23+dfsg1-1.debian.tar.xz
 876f05c4bff5a95bbf928c71cdd6d42f950287e5927b36b2ca27af4909325b44 8204 alpine_2.23+dfsg1-1_amd64.buildinfo
Files:
 77ec57d34b78408842d9de29815ce61e 2184 mail optional alpine_2.23+dfsg1-1.dsc
 49278e7c023811e8c3f630909ff58e0f 4420640 mail optional alpine_2.23+dfsg1.orig.tar.xz
 6b6556d01eeffc249222680c20d2d17e 15496 mail optional alpine_2.23+dfsg1-1.debian.tar.xz
 0122834fd001cc03987cc37ba05a995a 8204 mail optional alpine_2.23+dfsg1-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCQAdFiEEjbPlhoZdK0orGFpcUAHhsJqjdEsFAl7tuf4ACgkQUAHhsJqj
dEtPMQ/6A9f8d6RivNAVIK3tLsUGYhBP2KSIUs4uHXbr6lVLmG3FMp+U+jeuhuQ/
tfgNaDJ87MZZgnyPBghIhUm/EjEqpgX8SNvKu4w3GnN9TcVZ+nM7nQJ2wHK39gz/
6FpCKqmbC7Y/NXaG7w0dlhjKATuYGpRABYdZDfUK3nhCxEb+iJqYewDbsh4t3b/R
rFN+pOPAZ7Gkc21/GnusDGr3w6FN2m//oon7DNQP4hkZqnu2dJYwRVfAdULLbZdh
HicqBtbOUOrq0Pc2RiDMS9bAJJDMazSIyKF2r90F6wTFP+SGgxo/ey1a9Mj0WtDd
iMc/v0kr2WlRyZdIbOI/Blp86L7eNwYGiKpXSI0b+9vKiYnmN+pSZCN/5mJtzw8Q
ahDnzCPYBR2+0h4eMKAazTIjDJvFkFHlGDUE4sCHzbsl/GBK2ILB2AeYrFm0z7LR
g8eSPLdjKNJ3oMqLYVjXdMgx1qEzE5hN+9kTEgk5RS5JpTeJqa1RbtadN2UEJB/U
jdpZ3Dydoe53xJicj4JYtG6jIoGOvXk1bwcydq8xilPYD3WbKl/igjY9Jl6auw0Y
PGL63+aiekWHyd6mNm664erQ2PfIIyJsgSAYwyItonSCjb/FIjqiB4OG8YHxBy8M
flJNJvZWPikxOYeQ52pSmvasGtiX9Osi1ArxShpDCEGCgbCEeps=
=xtt2
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.