Candidate: CVE-2020-24661
PublicDate: 2020-08-26 16:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24661
 https://gitlab.gnome.org/GNOME/geary/-/issues/866
 https://gitlab.gnome.org/GNOME/geary/-/commit/0fc8c7c62e8af5734f3ad17f158e5bed7f05fc18 (merge)
Description:
 GNOME Geary before 3.36.3 mishandles pinned TLS certificate verification
 for IMAP and SMTP services using invalid TLS certificates (e.g.,
 self-signed certificates) when the client system is not configured to use a
 system-provided PKCS#11 store. This allows a meddler in the middle to
 present a different invalid certificate to intercept incoming and outgoing
 mail.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N [5.9 MEDIUM]


Patches_geary:
 upstream: https://gitlab.gnome.org/GNOME/geary/-/commit/423a55b00f1dc6bee9dc17e67c0aea6f42387a77
upstream_geary: needs-triage
precise/esm_geary: DNE
trusty_geary: ignored (out of standard support)
trusty/esm_geary: DNE
xenial_geary: ignored (end of standard support, was needs-triage)
bionic_geary: needs-triage
focal_geary: needs-triage
groovy_geary: not-affected (3.38.0.1-3)
hirsute_geary: not-affected (3.38.0.1-3)
impish_geary: not-affected (3.38.0.1-3)
jammy_geary: not-affected (3.38.0.1-3)
devel_geary: not-affected (3.38.0.1-3)