Bug 707848 (CVE-2011-3355)
Summary: | CVE-2011-3355 evolution: IMAP does non-SSL connection when storing to Sent folder | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Olivier Crête <olivier.crete> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED NOTABUG | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | fidencio, jkurik, jlieskov, lucilanga, mbarnes, mcrha, paul, security-response-team, vdanen |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | evolution 3.1.2 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2013-07-25 13:20:48 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 737106 | ||
Bug Blocks: | 737090 |
Description
Olivier Crête
2011-05-26 07:13:09 UTC
Hi, Olivier, thank you for your report. (In reply to comment #0) > How reproducible: > > Always... until I re-selected the IMAP folder in Defaults.. then it was gone. So when you configured the IMAP account to use SSL/TLS alternative, the Defaults pref tab contained Sent folder for the remote server? IOW got it I right, that this was reset without user action / consciousness? Also, under 'until I re-selecated the IMAP folder in Defaults' you mean, you set it back in Defaults tab to be the Sent folder on the remote server machine, right? Or you mean just clicking on it? Thank you, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team In Evo 2.32 I had selected the remote folder, so it was still selected when upgrading to 3.0. But it tried to connect to the server over a non-SSL (sending my username/password without SSL). I only realised there was a problem because our Dovecot server only allows upgrading to TLS over a non-SSL connection. I went into the Defaults tab, clicked on the button, re-selected the remote folder from the list (I think something else was selected, not sure). And clicked Ok, after doing that, it seemed to fix itself. Upstream bug report: [1] https://bugzilla.gnome.org/show_bug.cgi?id=648277 Upstream fix: [2] http://git.gnome.org/browse/evolution-data-server/commit/?id=e0ac4d79705c *** Bug 697904 has been marked as a duplicate of this bug. *** CVE Request: [3] http://www.openwall.com/lists/oss-security/2011/09/09/1 Created evolution tracking bugs for this issue Affects: fedora-15 [bug 737106] This issue did NOT affect the versions of the evolution and evolution28 packages, as shipped with Red Hat Enterprise Linux 4. This issue did NOT affect the versions of the evolution package, as shipped with Red Hat Enterprise Linux 5 and 6. Statement: Not vulnerable. This issue did not affect the versions of evolution as shipped with Red Hat Enterprise Linux 4, 5, or 6. This issue did not affect the version of evolution28 as shipped with Red Hat Enterprise Linux 4. This was assigned the name CVE-2011-3355. |