There are 2 open security issues in buster.
2 issues left for the package maintainer to handle:
- CVE-2020-14929:
(needs triaging)
Alpine before 2.23 silently proceeds to use an insecure connection after a /tls is sent in certain circumstances involving PREAUTH, which is a less secure behavior than the alternative of closing the connection and letting the user decide what they would like to do.
- CVE-2021-38370:
(needs triaging)
In Alpine through 2.24, untagged responses from an IMAP server are accepted before STARTTLS.
You can find information about how to handle these issues in the security team's documentation.