CVE-2016-10727

NameCVE-2016-10727
Descriptioncamel/providers/imapx/camel-imapx-server.c in the IMAPx component in GNOME evolution-data-server before 3.21.2 proceeds with cleartext data containing a password if the client wishes to use STARTTLS but the server will not use STARTTLS, which makes it easier for remote attackers to obtain sensitive information by sniffing the network. The server code was intended to report an error and not proceed, but the code was written incorrectly.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-1443-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
evolution-data-server (PTS)buster3.30.5-1+deb10u2fixed
buster (security)3.30.5-1+deb10u1fixed
bullseye3.38.3-1+deb11u2fixed
bookworm3.46.4-2fixed
trixie3.50.3-1fixed
sid3.50.3-2.2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
evolution-data-serversourcejessie3.12.9~git20141128.5242b0-2+deb8u4DLA-1443-1
evolution-data-serversource(unstable)3.22.0-2

Notes

https://bugzilla.redhat.com/show_bug.cgi?id=1334842
https://gitlab.gnome.org/GNOME/evolution-data-server/commit/f26a6f67
Search for package or bug name: Reporting problems