CVE-2016-10727

NameCVE-2016-10727
Descriptioncamel/providers/imapx/camel-imapx-server.c in the IMAPx component in GNOME evolution-data-server before 3.21.2 proceeds with cleartext data containing a password if the client wishes to use STARTTLS but the server will not use STARTTLS, which makes it easier for remote attackers to obtain sensitive information by sniffing the network. The server code was intended to report an error and not proceed, but the code was written incorrectly.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-1443-1
NVD severitymedium

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
evolution-data-server (PTS)stretch3.22.7-1fixed
stretch (security)3.22.7-1+deb9u2fixed
buster, buster (security)3.30.5-1+deb10u1fixed
bullseye, sid3.38.3-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
evolution-data-serversourcejessie3.12.9~git20141128.5242b0-2+deb8u4DLA-1443-1
evolution-data-serversource(unstable)3.22.0-2

Notes

https://bugzilla.redhat.com/show_bug.cgi?id=1334842
https://gitlab.gnome.org/GNOME/evolution-data-server/commit/f26a6f67

Search for package or bug name: Reporting problems