A flaw was found in GNOME evolution-data-server before 3.21.2. camel/providers/imapx/camel-imapx-server.c in the IMAPx component proceeds with cleartext data containing a password if the client wishes to use STARTTLS but the server will not use STARTTLS, which makes it easier for remote attackers to obtain sensitive information by sniffing the network. The server code was intended to report an error and not proceed, but the code was written incorrectly. References: https://bugzilla.redhat.com/show_bug.cgi?id=1334842 Upstream Patch: https://gitlab.gnome.org/GNOME/evolution-data-server/commit/f26a6f67
I'm sorry, but what is this bug supposed to serve for, please? It doesn't make any sense to me to file a bug for a thing which had been fixed more than two years ago, while Fedora supports only ~13 months back. What am I missing here, please?
(In reply to Milan Crha from comment #1) > I'm sorry, but what is this bug supposed to serve for, please? It doesn't > make any sense to me to file a bug for a thing which had been fixed more > than two years ago, while Fedora supports only ~13 months back. What am I > missing here, please? Hi Milan, Fedora is not affected by this issue, as noted in fedora-all/evolution-data-server=notaffected. However, I still need to file this for the remaining platforms that ships this package.
I see. If I read the white board properly, then it says only: rhel-7/evolution-data-server=affected and all the others are not affected. RHEL 7.4 contains evolution-data-server-3.22.7, which had the upstream fix included, thus unless you aim even lower, this had been addressed in RHEL 7 ~a year ago, thus it's not affected now too. Am I right? RHEL 7.3 had evolution-data-server-3.12.11, which would be affected, not being of bug #1265684, whose changes included that upstream fix as one of the side effects. Maybe RHEL 7.2 is affected, it also contains 3.12.11.
In reply to comment 3: > I see. If I read the white board properly, then it says only: > rhel-7/evolution-data-server=affected > and all the others are not affected. RHEL 7.4 contains > evolution-data-server-3.22.7, which had the upstream fix included, thus > unless you aim even lower, this had been addressed in RHEL 7 ~a year ago, > thus it's not affected now too. Am I right? > > RHEL 7.3 had evolution-data-server-3.12.11, which would be affected, not > being of bug #1265684, whose changes included that upstream fix as one of > the side effects. > > Maybe RHEL 7.2 is affected, it also contains 3.12.11. Yes, this was fixed by https://access.redhat.com/errata/RHBA-2016:2206 Regrading the whiteboard, we need to set it to "affected" since RHEL-7.2 is still affected and also due to proper errata link being displayed on CVE page.
Statement: This issue did not affect the versions of evolution-data-server as shipped with Red Hat Enterprise Linux 5 and 6 as they did not include the vulnerable code.