geary: mishandles pinned TLS certificate verification for IMAP and SMTP services using invalid TLS certificates (CVE-2020-24661) (#11952) · Issues · alpine / aports

geary: mishandles pinned TLS certificate verification for IMAP and SMTP services using invalid TLS certificates (CVE-2020-24661)

GNOME Geary before 3.36.3 mishandles pinned TLS certificate verification for IMAP and SMTP services using invalid TLS certificates (e.g., self-signed certificates) when the client system is not configured to use a system-provided PKCS#11 store. This allows a meddler in the middle to present a different invalid certificate to intercept incoming and outgoing mail.

Fixed In Version:

geary 3.36.3.1

References:

https://bugs.gentoo.org/show_bug.cgi?id=CVE-2020-24661
https://security-tracker.debian.org/tracker/CVE-2020-24661

Affected branches:

master (0e777ba2)
3.12-stable

Edited Sep 15, 2020 by Leo

Discussion
Designs

The one place for your designs

To enable design management, you'll need to meet the requirements. If you need help, reach out to our support team for assistance.