opensuse-su-2021:0675-1
Vulnerability from csaf_opensuse
Published
2021-05-06 12:06
Modified
2021-05-06 12:06
Summary
Security update for alpine
Notes
Title of the patch
Security update for alpine
Description of the patch
This update for alpine fixes the following issues:
Update to release 2.24
* A few crash fixes
* Implementation of XOAUTH2 for Yahoo! Mail.
Update to release 2.23.2
* Expansion of the configuration screen for XOAUTH2 to include
username, and tenant.
* Alpine uses the domain in the From: header of a message
to generate a message-id and suppresses all information
about Alpine, version, revision, and time of generation
of the message-id from this header.
* Alpine does not generate Sender or X-X-Sender by default by
enabling [X] Disable Sender as the default.
* Alpine does not disclose User Agent by default by enabling
[X] Suppress User Agent by default.
* When messages are selected, pressing the ';' command to
broaden or narrow a search, now offers the possibility to
completely replace the search, and is almost equivalent to
being a shortcut to 'unselect all messages, and select
again'.
Update to release 2.23
* Fixes boo#1173281, CVE-2020-14929: Alpine silently proceeds to
use an insecure connection after a /tls is sent in certain
circumstances.
* Implementation of XOAUTH2 authentication support for Outlook.
* Add support for the OAUTHBEARER authentication method in Gmail.
* Support for the SASL-IR IMAP extension.
* Alpine can pass an HTML message to an external web browser,
by using the 'External' command in the ATTACHMENT INDEX
screen.
Update to release 2.22
* Support for XOAUTH2 authentication method in Gmail.
* NTLM authentication support with the ntlm library.
* Added the '/tls1_3' flag for servers that support it.
* Add the 'g' option to the select command that works in IMAP
servers that implement the X-GM-EXT-1 capability (such as the
one offered by Gmail).
* Added '/auth=XYZ' to the way to define a server. This allows
users to select the method to authenticate to an IMAP, SMTP
or POP3 server. Examples are /auth=plain, or /auth=gssapi,
etc.
* When a message is of type multipart/mixed, and its first part
is multipart/signed, Alpine will include the text of the
original message in a reply message, instead of including a
multipart attachment.
* Added backward search in the index screen.
* pico: Add -dict option to Pico, which allows users to choose a
dictionary when spelling.
- Drop /usr/bin/mailutil, it is not built by default anymore.
* Added Quota subcommands for printing, forwarding, saving, etc.
Patchnames
openSUSE-2021-675
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for alpine",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for alpine fixes the following issues:\n\nUpdate to release 2.24\n\n* A few crash fixes\n* Implementation of XOAUTH2 for Yahoo! Mail.\n\nUpdate to release 2.23.2\n\n* Expansion of the configuration screen for XOAUTH2 to include\n username, and tenant.\n* Alpine uses the domain in the From: header of a message\n to generate a message-id and suppresses all information\n about Alpine, version, revision, and time of generation\n of the message-id from this header.\n* Alpine does not generate Sender or X-X-Sender by default by\n enabling [X] Disable Sender as the default.\n* Alpine does not disclose User Agent by default by enabling\n [X] Suppress User Agent by default.\n* When messages are selected, pressing the \u0027;\u0027 command to\n broaden or narrow a search, now offers the possibility to\n completely replace the search, and is almost equivalent to\n being a shortcut to \u0027unselect all messages, and select\n again\u0027.\n\nUpdate to release 2.23\n\n* Fixes boo#1173281, CVE-2020-14929: Alpine silently proceeds to\n use an insecure connection after a /tls is sent in certain\n circumstances.\n* Implementation of XOAUTH2 authentication support for Outlook.\n* Add support for the OAUTHBEARER authentication method in Gmail.\n* Support for the SASL-IR IMAP extension.\n* Alpine can pass an HTML message to an external web browser,\n by using the \u0027External\u0027 command in the ATTACHMENT INDEX\n screen.\n\nUpdate to release 2.22\n\n* Support for XOAUTH2 authentication method in Gmail. \n* NTLM authentication support with the ntlm library.\n* Added the \u0027/tls1_3\u0027 flag for servers that support it.\n* Add the \u0027g\u0027 option to the select command that works in IMAP\n servers that implement the X-GM-EXT-1 capability (such as the\n one offered by Gmail).\n* Added \u0027/auth=XYZ\u0027 to the way to define a server. This allows\n users to select the method to authenticate to an IMAP, SMTP\n or POP3 server. Examples are /auth=plain, or /auth=gssapi,\n etc.\n* When a message is of type multipart/mixed, and its first part\n is multipart/signed, Alpine will include the text of the\n original message in a reply message, instead of including a\n multipart attachment.\n* Added backward search in the index screen.\n* pico: Add -dict option to Pico, which allows users to choose a\n dictionary when spelling.\n- Drop /usr/bin/mailutil, it is not built by default anymore.\n\n* Added Quota subcommands for printing, forwarding, saving, etc.\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-2021-675",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2021_0675-1.json"
},
{
"category": "self",
"summary": "URL for openSUSE-SU-2021:0675-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/7ZRQIHG7XRVXHNCK66IMEPQ7LPQIJT4P/"
},
{
"category": "self",
"summary": "E-Mail link for openSUSE-SU-2021:0675-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/7ZRQIHG7XRVXHNCK66IMEPQ7LPQIJT4P/"
},
{
"category": "self",
"summary": "SUSE Bug 1173281",
"url": "https://bugzilla.suse.com/1173281"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-14929 page",
"url": "https://www.suse.com/security/cve/CVE-2020-14929/"
}
],
"title": "Security update for alpine",
"tracking": {
"current_release_date": "2021-05-06T12:06:14Z",
"generator": {
"date": "2021-05-06T12:06:14Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2021:0675-1",
"initial_release_date": "2021-05-06T12:06:14Z",
"revision_history": [
{
"date": "2021-05-06T12:06:14Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "alpine-2.24-lp152.5.3.1.x86_64",
"product": {
"name": "alpine-2.24-lp152.5.3.1.x86_64",
"product_id": "alpine-2.24-lp152.5.3.1.x86_64"
}
},
{
"category": "product_version",
"name": "pico-5.07-lp152.5.3.1.x86_64",
"product": {
"name": "pico-5.07-lp152.5.3.1.x86_64",
"product_id": "pico-5.07-lp152.5.3.1.x86_64"
}
},
{
"category": "product_version",
"name": "pilot-2.99-lp152.5.3.1.x86_64",
"product": {
"name": "pilot-2.99-lp152.5.3.1.x86_64",
"product_id": "pilot-2.99-lp152.5.3.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Leap 15.2",
"product": {
"name": "openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.2"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "alpine-2.24-lp152.5.3.1.x86_64 as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:alpine-2.24-lp152.5.3.1.x86_64"
},
"product_reference": "alpine-2.24-lp152.5.3.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pico-5.07-lp152.5.3.1.x86_64 as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:pico-5.07-lp152.5.3.1.x86_64"
},
"product_reference": "pico-5.07-lp152.5.3.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pilot-2.99-lp152.5.3.1.x86_64 as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:pilot-2.99-lp152.5.3.1.x86_64"
},
"product_reference": "pilot-2.99-lp152.5.3.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.2"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-14929",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-14929"
}
],
"notes": [
{
"category": "general",
"text": "Alpine before 2.23 silently proceeds to use an insecure connection after a /tls is sent in certain circumstances involving PREAUTH, which is a less secure behavior than the alternative of closing the connection and letting the user decide what they would like to do.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.2:alpine-2.24-lp152.5.3.1.x86_64",
"openSUSE Leap 15.2:pico-5.07-lp152.5.3.1.x86_64",
"openSUSE Leap 15.2:pilot-2.99-lp152.5.3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-14929",
"url": "https://www.suse.com/security/cve/CVE-2020-14929"
},
{
"category": "external",
"summary": "SUSE Bug 1173281 for CVE-2020-14929",
"url": "https://bugzilla.suse.com/1173281"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.2:alpine-2.24-lp152.5.3.1.x86_64",
"openSUSE Leap 15.2:pico-5.07-lp152.5.3.1.x86_64",
"openSUSE Leap 15.2:pilot-2.99-lp152.5.3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.2:alpine-2.24-lp152.5.3.1.x86_64",
"openSUSE Leap 15.2:pico-5.07-lp152.5.3.1.x86_64",
"openSUSE Leap 15.2:pilot-2.99-lp152.5.3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2021-05-06T12:06:14Z",
"details": "important"
}
],
"title": "CVE-2020-14929"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…