Alpine: multiple libetpan packages: security update to 1.9.4-r0 (deprecated)

high Tenable Self-Hosted Container Security Plugin ID 400330

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- LibEtPan through 1.9.4, as used in MailCore 2 through 0.6.3 and other products, has a STARTTLS buffering
issue that affects IMAP, SMTP, and POP3. When a server sends a "begin TLS" response, the client reads
additional data (e.g., from a meddler-in-the-middle attacker) and evaluates it in a TLS context, aka
"response injection." (CVE-2020-15953)

See Also

https://git.alpinelinux.org/aports/commit/?id=5ed4e396bb324e9819f9555980039fe55d1caad1

https://git.alpinelinux.org/aports/commit/?id=f6b8c8ff1924324b5ae18ea879086deec396c9e5

Plugin Details

Severity: High

ID: 400330

Version: Revision 1.22

Type: Local

Published: 8/16/2023

Updated: 1/17/2024

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.3

Percentile: 53.37

CVSS v2

Risk Factor: Medium

Base Score: 5.8

Temporal Score: 4.5

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N

CVSS Score Source: CVE-2020-15953

CVSS v3

Risk Factor: High

Base Score: 7.4

Temporal Score: 6.7

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 10/12/2020

Vulnerability Publication Date: 7/27/2020

Reference Information

CVE: CVE-2020-15953