CVE-2016-10727

NameCVE-2016-10727
Descriptioncamel/providers/imapx/camel-imapx-server.c in the IMAPx component in GNOME evolution-data-server before 3.21.2 proceeds with cleartext data containing a password if the client wishes to use STARTTLS but the server will not use STARTTLS, which makes it easier for remote attackers to obtain sensitive information by sniffing the network. The server code was intended to report an error and not proceed, but the code was written incorrectly.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-1443-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
evolution-data-server (PTS)jessie, jessie (lts)3.12.9~git20141128.5242b0-2+deb8u4fixed
stretch (security), stretch (lts), stretch3.22.7-1+deb9u2fixed
buster3.30.5-1+deb10u2fixed
buster (security), buster (lts)3.30.5-1+deb10u1fixed
bullseye3.38.3-1+deb11u2fixed
bookworm3.46.4-2fixed
sid, trixie3.54.1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
evolution-data-serversourcewheezy(unfixed)end-of-life
evolution-data-serversourcejessie3.12.9~git20141128.5242b0-2+deb8u4DLA-1443-1
evolution-data-serversource(unstable)3.22.0-2

Notes

https://bugzilla.redhat.com/show_bug.cgi?id=1334842
https://gitlab.gnome.org/GNOME/evolution-data-server/commit/f26a6f67

Search for package or bug name: Reporting problems