Security fix for CVE-2020-15917 (STARTTLS protocol violation).

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for claws-mail fixes the following issues :

  - CVE-2020-15917: Fixed an improper handling of suffix     data after STARTTLS is mishandled (boo#1174457).

This update for claws-mail fixes the following issues :

  - Update to 3.17.6 :

  - It is now possible to 'Inherit Folder properties and     processing rules from parent folder' when creating new     folders with the move message and copy message     dialogues.

  - A Phishing warning is now shown when copying a phishing     URL, (in addition to clicking a phishing URL).

  - The progress window when importing an mbox file is now     more responsive.

  - A warning dialogue is shown if the selected privacy     system is 'None' and automatic signing amd/or encrypting     is enabled.

  - Python plugin: pkgconfig is now used to check for     python2. This enables the Python plugin (which uses     python2) to be built on newer systems which have both     python2 and python3.

  - CVE-2020-15917: Fixed an improper handling of suffix     data after STARTTLS is mishandled (boo#1174457).

This update for claws-mail fixes the following issues :

  - Additional cleanup of the template handling

claws-mail was updated to 3.17.8 (boo#1177967)

  - Shielded template's |program() and |attach_program() so     that the command-line that is executed does not allow     sequencing such as with && || ;, preventing possible     execution of nasty, or at least unexpected, commands

  - bug fixes: claws#4376

  - updated English, French, and Spanish manuals

  - Update to 3.17.7 

  - Image Viewer: Image attachments, when displayed, are now     resized to fit the available width rather than the     available height.

  - -d is now an alias to --debug.

  - Libravatar plugin: New styles supported: Robohash and     Pagan.

  - SpamAssassin plugin: The 'Maximum size' option now     matches SpamAssassin's maximum; it can now handle     messages up to 256MB.

  - LiteHTML viewer plugin: The UI is now translatable. Bug     fixes :

  - bug 4313, 'Recursion stack overflow with rebuilding     folder tree'

  - bug 4372, '[pl_PL] Crash after 'Send later' without     recipient and then 'Close''

  - bug 4373, 'attach mailto URI double free'

  - bug 4374, 'insert mailto URI misses checks'

  - bug 4384, 'U+00AD (soft hyphen) changed to space in     Subject'

  - bug 4386, 'Allow Sieve config without userid without     warning'

  - Add missing SSL settings when cloning accounts.

  - Parsing of command-line arguments.

  - PGP Core plugin: fix segv in address completion with a     keyring.

  - Libravatar plugin: fixes to image display.

  - Disable python-gtk plugin on suse_version > 1500: still     relying on python2, which is EOL.

  - Update to 3.17.6 :

  - It is now possible to 'Inherit Folder properties and     processing rules from parent folder' when creating new     folders with the move message and copy message     dialogues.

  - A Phishing warning is now shown when copying a phishing     URL, (in addition to clicking a phishing URL).

  - The progress window when importing an mbox file is now     more responsive.

  - A warning dialogue is shown if the selected privacy     system is 'None' and automatic signing amd/or encrypting     is enabled.

  - Python plugin: pkgconfig is now used to check for     python2. This enables the Python plugin (which uses     python2) to be built on newer systems which have both     python2 and python3. Bug fixes :

  - bug 3922, 'minimize to tray on startup not working'

  - bug 4220, 'generates files in cache without content'

  - bug 4325, 'Following redirects when retrieving image'

  - bug 4342, 'Import mbox file command doesn't work twice     on a row'

  - fix STARTTLS protocol violation

  - fix initial debug line

  - fix fat-fingered crash when v (hiding msgview) is     pressed just before c (check signature)

  - fix non-translation of some Templates strings

  - Update to 3.17.5

  + Inline Git patches now have colour syntax highlighting     The colours of these, and patch attachments, are     configurable on the 'Other' tab of the Display/Colors     page of the general preferences.

  + The previously hidden preference, 'summary_from_show',     is now configurable within the UI, on the 'Message List'     tab of the Display/Summaries page of the general     preferences, 'Displayed in From column [ ]'.

  + 'Re-edit' has been added to the message context menu     when in the Drafts folder.

  + Additional Date header formats are supported :

  - weekday, month, day, hh, mm, ss, year, zone

  - weekday, month, day, hh, mm, ss, year

  + LiteHtml viewer plugin: scrolling with the keyboard has     been implemented.

  + The included tools/scripts have been updated :

  - eud2gc.py converted to Python 3

  - tbird2claws.py converted to Python 3

  - tbird2claws.py converted to Python 3

  - google_search.pl has been replaced with ddg_search.pl     (that is, duckduckgo.com instead of google.com)

  - fix_date.sh and its documentation have been updated 

  - multiwebsearch.pl 'fm' (freshmeat.net) has been removed;
    'google' has been replaced by 'ddg'

  - the outdated OOo2claws-mail.pl script has been removed

  + Updated manuals

  + Updated translations: British English, Catalan, Czech,     Danish, Dutch, French, German, Russian, Slovak, Spanish,     Swedish, Traditional Chinese, Turkish

  + bug fixes: claws#2131, claws#4237, claws#4239,     claws#4248, claws#4253, claws#4257, claws#4277,     claws#4278, claws#4305

  + Misc bugs fixed :

  - Fix crash in litehtml_viewer when tag has no href

  - removed 'The following file has been attached...'     dialogue

  - MBOX import: give a better estimation of the time left     and grey out widgets while importing

  - Fixed 'vcard.c:238:2: warning: &lsquo;strncpy&rsquo;
    output truncate before terminating nul copying as many     bytes from a string as its length'

  - RSSyl: Fix handling deleted feed items where modified     and published dates do not match 

  - fix bolding of target folder

  - when creating a new account, don't pre-fill data from     the default account

  - respect 'default selection' settings when moving a msg     with manual filtering

  - Fix printing of empty pages when the selected part is     rendered with a plugin not implementing print

  - Addressbook folder selection dialogs: make sure folder     list is sorted and apply global prefs to get stripes in     lists.

  - when user cancels the GPG signing passphrase dialogue,     don't bother the user with an 'error' dialogue

  - Fix imap keyword search. Libetpan assumes keyword search     is a MUST but RFC states it is a MAY. Fix advanced     search on MS Exchange

  - fix SHIFT+SPACE in msg list, moving in reverse

  - revert pasting images as attachments

  - Fix help about command-line arguments that require a     parameter.

  - Printing: only print as plain text if the part is of     type text

  - fix a segfault with default info icon when trying to     print a non-text part.

  - Add a test on build-time libetpan version to require the     proper version at run-time (boo#1157594)

  - Move 'Mark all read/unread' menu entries where they     belong. remove-MarkAll-from-message-menu.patch     (claws#4278) add-MarkAll-to-folder-menu.patch     (claws#4278)

  - Make litehtml plugin build on Tumbleweed.

  - Update to 3.17.4 :

  - New HTML viewer plugin: Litehtml viewer

  - Added option 'Enable keyboard shortcuts' to the     'Keyboard shortcuts' frame on     /Configuration/Preferences/Other/Miscellaneous

  - Compose: implemented copying of attached images to     clipboard

  - Compose: images and text/uri-list (files) can now be     attached by pasting into the Compose window

  - Python plugin: window sizes are now remembered for the     Python console, the 'Open URLs' and the 'Set mailbox     order' windows.

  - Fancy plugin: the download-link feature now follows     redirections

  - MBOX export: the Enter key in the dialogue now starts     the export

  - The date (ISO format) has been added to log timestamps

  - Update translations

  - bug 1920, 'No automatic NNTP filtering'

  - bug 2045, 'address book blocks focus on email window'

  - bug 2131, 'Focus stealing after mail check'

  - bug 2627, 'Filtering does not work on NNTP'

  - bug 3070, 'misbehaving text wrapping when URL chars are     present'

  - bug 3838, 'Canceled right-click on message list leaves     UI in inconsistent state'

  - bug 3977, 'Fix crashes when some external APIs fail'

  - bug 3979, 'Hang (with killing needed) during action     which extracts attachments'

  - bug 4029, 'segfault after deleting message in a window'

  - bug 4031, 'fingerprint in SSL/TLS certificates for ...
    (regress error)'

  - bug 4037, 'Fix some small issues'

  - bug 4142, 'Translation error on Russian'

  - bug 4145, 'proxy server for sending doesn't work'

  - bug 4155, 'remember directory of last saving'

  - bug 4166, 'corrupted double-linked list'

  - bug 4167, 'Max line length exceeded when forwarding     mail'

  - bug 4188, 'STL file is sent not as an attachment but as     its base64 representation in plaintext'

  - CID 1442278, 'impossible to trigger buffer overflow'

  - Make key accelerators from menu work in addressbook     window

  - save checkbox choices of display/summaries/defaults     prefs

  - Do not throw an error when cancelling 'Save email     as...'.

  - occasional crash on drag'n'drop of msgs

  - possible stack overflow in vcalendar's Curl data handler

  - crash when LDAP address source is defined in index, but

  - support is disabled

  - crash in Fancy plugin if one of the MIME parts has no

  - -ID

  - a few small memory leaks in scan_mailto_url()

  - configure script for rare cases where python is not     installed

  - incorrect charset conversion in sc_html_read_line().

  - markup in 'key not fully trusted' warning in pgpcore

  - use after free in rare code path in rssyl_subscribe()

  - several memory leaks

  - verify_folderlist_xml() for fresh starts

  - printf formats for size_t and goffset arguments.

  - alertpanel API use in win32 part of mimeview.c

  - pid handling in debug output of kill_children_cb()

  - incorrect pointer arithmetic in w32_filesel.c

The remote host is affected by the vulnerability described in GLSA-202007-56 (Claws Mail: Improper STARTTLS handling)

    It was discovered that Claws Mail was not properly handling state within       the STARTTLS protocol handshake.
  Impact :

    There may be a breach of integrity or confidentiality in connections       made using Claws Mail with STARTTLS.
  Workaround :

    There is no known workaround at this time.

The remote SUSE Linux SUSE15 host has packages installed that are affected by a vulnerability as referenced in the openSUSE-SU-2021:1045-1 advisory.

  - common/session.c in Claws Mail before 3.17.6 has a protocol violation because suffix data after STARTTLS     is mishandled. (CVE-2020-15917)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Published	Updated	Severity
139257	Fedora 32 : claws-mail (2020-2def860ce7)	Nessus	Fedora Local Security Checks	8/3/2020	2/27/2024	critical
139280	openSUSE Security Update : claws-mail (openSUSE-2020-1116)	Nessus	SuSE Local Security Checks	8/3/2020	2/27/2024	critical
139265	Fedora 31 : claws-mail (2020-fe6c1a9c16)	Nessus	Fedora Local Security Checks	8/3/2020	2/27/2024	critical
139303	openSUSE Security Update : claws-mail (openSUSE-2020-1139)	Nessus	SuSE Local Security Checks	8/4/2020	2/27/2024	critical
142560	openSUSE Security Update : claws-mail (openSUSE-2020-1822)	Nessus	SuSE Local Security Checks	11/6/2020	2/9/2024	critical
139119	GLSA-202007-56 : Claws Mail: Improper STARTTLS handling	Nessus	Gentoo Local Security Checks	7/30/2020	2/27/2024	critical
151702	openSUSE 15 Security Update : claws-mail (openSUSE-SU-2021:1045-1)	Nessus	SuSE Local Security Checks	7/16/2021	7/16/2021	critical

Detections

Analytics

Plugins Search

critical

critical

critical

critical

critical

critical

critical