openSUSE Security Update : alpine (openSUSE-2021-675)

high Nessus Plugin ID 149594

Language:

Synopsis

The remote openSUSE host is missing a security update.

Description

This update for alpine fixes the following issues :

Update to release 2.24

- A few crash fixes

- Implementation of XOAUTH2 for Yahoo! Mail.

Update to release 2.23.2

- Expansion of the configuration screen for XOAUTH2 to include username, and tenant.

- Alpine uses the domain in the From: header of a message to generate a message-id and suppresses all information about Alpine, version, revision, and time of generation of the message-id from this header.

- Alpine does not generate Sender or X-X-Sender by default by enabling [X] Disable Sender as the default.

- Alpine does not disclose User Agent by default by enabling [X] Suppress User Agent by default.

- When messages are selected, pressing the ';' command to broaden or narrow a search, now offers the possibility to completely replace the search, and is almost equivalent to being a shortcut to 'unselect all messages, and select again'.

Update to release 2.23

- Fixes boo#1173281, CVE-2020-14929: Alpine silently proceeds to use an insecure connection after a /tls is sent in certain circumstances.

- Implementation of XOAUTH2 authentication support for Outlook.

- Add support for the OAUTHBEARER authentication method in Gmail.

- Support for the SASL-IR IMAP extension.

- Alpine can pass an HTML message to an external web browser, by using the 'External' command in the ATTACHMENT INDEX screen.

Update to release 2.22

- Support for XOAUTH2 authentication method in Gmail.

- NTLM authentication support with the ntlm library.

- Added the '/tls1_3' flag for servers that support it.

- Add the 'g' option to the select command that works in IMAP servers that implement the X-GM-EXT-1 capability (such as the one offered by Gmail).

- Added '/auth=XYZ' to the way to define a server. This allows users to select the method to authenticate to an IMAP, SMTP or POP3 server. Examples are /auth=plain, or /auth=gssapi, etc.

- When a message is of type multipart/mixed, and its first part is multipart/signed, Alpine will include the text of the original message in a reply message, instead of including a multipart attachment.

- Added backward search in the index screen.

- pico: Add -dict option to Pico, which allows users to choose a dictionary when spelling.

- Drop /usr/bin/mailutil, it is not built by default anymore.

- Added Quota subcommands for printing, forwarding, saving, etc.

Solution

Update the affected alpine packages.

See Also

https://bugzilla.opensuse.org/show_bug.cgi?id=1173281

Plugin Details

Severity: High

ID: 149594

File Name: openSUSE-2021-675.nasl

Version: 1.3

Type: local

Agent: unix

Published: 5/18/2021

Updated: 1/1/2024

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.6

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS Score Source: CVE-2020-14929

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:alpine, p-cpe:/a:novell:opensuse:alpine-debuginfo, p-cpe:/a:novell:opensuse:alpine-debugsource, p-cpe:/a:novell:opensuse:pico, p-cpe:/a:novell:opensuse:pico-debuginfo, p-cpe:/a:novell:opensuse:pilot, p-cpe:/a:novell:opensuse:pilot-debuginfo, cpe:/o:novell:opensuse:15.2

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 5/6/2021

Vulnerability Publication Date: 6/19/2020

Reference Information

CVE: CVE-2020-14929