CVE-2020-14928

Published: 08 July 2020

evolution-data-server (eds) through 3.36.3 has a STARTTLS buffering issue that affects SMTP and POP3. When a server sends a "begin TLS" response, eds reads additional data and evaluates it in a TLS context, aka "response injection."

Priority

Medium

CVSS 3 base score: 5.9

Status

Package Release Status
evolution-data-server
Launchpad, Ubuntu, Debian
Upstream
Released (3.36.4-1)
Ubuntu 20.10 (Groovy Gorilla) Not vulnerable
(3.36.4-1)
Ubuntu 20.04 LTS (Focal Fossa)
Released (3.36.3-0ubuntu1.1)
Ubuntu 18.04 LTS (Bionic Beaver)
Released (3.28.5-0ubuntu0.18.04.3)
Ubuntu 16.04 LTS (Xenial Xerus)
Released (3.18.5-1ubuntu1.3)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

Patches:
Upstream: https://gitlab.gnome.org/GNOME/evolution-data-server/-/commit/f404f33fb01b23903c2bbb16791c7907e457fbac
Upstream: https://gitlab.gnome.org/GNOME/evolution-data-server/-/commit/b74b765188d96803814acf69a510a7160d9ee6c5