CVE-2020-29547

NameCVE-2020-29547
DescriptionAn issue was discovered in Citadel through webcit-926. Meddler-in-the-middle attackers can pipeline commands after POP3 STLS, IMAP STARTTLS, or SMTP STARTTLS commands, injecting cleartext commands into an encrypted user session. This can lead to credential disclosure.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
citadel (PTS)jessie8.24-1vulnerable
stretch902-4vulnerable
buster917-2vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
citadelsourcejessie(unfixed)end-of-life
citadelsource(unstable)(unfixed)

Notes

[buster] - citadel <ignored> (Minor issue)
[stretch] - citadel <postponed> (Minor issue, revisit when fixed upstream)
https://uncensored.citadel.org/readfwd?go=Citadel Security?view=0?start_reading_at=2099264259#2099264259
https://nostarttls.secvuln.info/
CVE-2020-29547 and CVE-2021-37845 seem like dupes

Search for package or bug name: Reporting problems