Advisories » MGASA-2020-0390

Updated geary package fixes a security vulnerability

Publication date: 21 Oct 2020
Modification date: 21 Oct 2020
Type: security
Affected Mageia releases : 7
CVE: CVE-2020-24661

Description

GNOME Geary before 3.36.3 mishandles pinned TLS certificate verification for
IMAP and SMTP services using invalid TLS certificates (e.g., self-signed
certificates) when the client system is not configured to use a system-provided
PKCS#11 store. This allows a meddler in the middle to present a different
invalid certificate to intercept incoming and outgoing mail. (CVE-2020-24661)
                

References

• https://bugs.mageia.org/show_bug.cgi?id=27242
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/NS6CSTOBVO5HSAR3X5CT6DS6QDHXDB26/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24661

SRPMS

7/core

• geary-3.32.1-1.1.mga7