From ${URL} : Christian Schneider <software [at] chschneider [dot] eu> discovered that isync does no SSL subject (hostname) verification. This means that any host with a valid certificate could pretend to be the wanted host, as long as the certificate store contained the relevant root certificate. This could be used for man-in-the-middle attacks, which could be used to steal passwords. Workaround: Specify a CertificateFile which contains only the wanted host's certificate, thus disabling trust chain based verification. Early versions of isync's SSL support tried to enforce this mode of operation. Isync releases 0.4 up to including 1.0.5 are affected. Version 1.0.6 has been just released to address the issue. Download: https://sourceforge.net/projects/isync/files/isync/1.0.6/ Patch: http://isync.git.sourceforge.net/git/gitweb.cgi?p=isync/isync;a=patch;h=914ede18664980925628a9ed2a73ad05f85aeedb
+*isync-1.0.6 (20 Feb 2013) + + 20 Feb 2013; Eray Aslan <eras@gentoo.org> +isync-1.0.6.ebuild: + Security bump - bug #458420 + @security: We can stabilize =net-mail/isync-1.0.6. Thank you.
(In reply to comment #1) > +*isync-1.0.6 (20 Feb 2013) > + > + 20 Feb 2013; Eray Aslan <eras@gentoo.org> +isync-1.0.6.ebuild: > + Security bump - bug #458420 > + > > @security: We can stabilize =net-mail/isync-1.0.6. Thank you. Thanks, Eray. Arches, please test and mark stable.
x86 stable
amd64 stable
Ready for vote, I vote YES.
GLSA vote: yes. GLSA draft ready for review.
This issue was resolved and addressed in GLSA 201310-02 at http://security.gentoo.org/glsa/glsa-201310-02.xml by GLSA coordinator Sergey Popov (pinkbyte).