Bug 175023 - mail-client/mutt APOP design error (CVE-2007-1558)
|
Bug#:
175023
|
Product: Gentoo Security
|
Version: unspecified
|
Platform: All
|
|
OS/Version: Linux
|
Status: RESOLVED
|
Severity: normal
|
Priority: P2
|
|
Resolution: FIXED
|
Assigned To: security@gentoo.org
|
Reported By: jaervosz@gentoo.org
|
|
Component: Vulnerabilities
|
|
|
URL:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1558
|
|
Summary: mail-client/mutt APOP design error (CVE-2007-1558)
|
|
Keywords:
|
|
Status Whiteboard: B3 [noglsa] jaervosz
|
|
Opened: 2007-04-18 05:24 0000
|
The APOP protocol allows remote attackers to guess the first 3 characters of a
password via man-in-the-middle (MITM) attacks that use crafted message IDs and
MD5 collisions.
net-mail any news on this one?
Ouch... helps if I'm actually CCed :P
I'll see if upstream has released something related to this. Though I'm a bit
busy these days so I'd apreciate if someone does it.
Cheers.
- ferdy
ferdy, any news on this one?
Sorry for the delay, I'm in exams period and haven't paid lots of attention to
Gentoo these days.
Mutt-1.5.16 has just been released with a fix for this. I'll provide an updated
ebuild soon.
- ferdy
ferdy any news on this one?
I have everything ready, but the sidebar patch hasn't been updated by its
upstream. I'm currently uploading the patchset to the mirrors so it is ready
once the sidebar patch is ready.
- ferd
Thanks for the stats update. Please post again once the ebuild is committed.
ferdy/net-mail, what's the status here?
The status is that I've been away and not every patch was ready when I wasn't
away. The hard part of the job was done as stated in comment #6 so anyone
could've finished it during my month off.
Anyway, everything should be ready now and I commited mail-client/mutt-1.5.16 a
couple of minutes ago.
- ferdy
(In reply to comment #6)
> I have everything ready, but the sidebar patch hasn't been updated by its
> upstream. I'm currently uploading the patchset to the mirrors so it is ready
> once the sidebar patch is ready.
(In reply to comment #11)
> The hard part of the job was done as stated in comment #6 so anyone
> could've finished it during my month off.
I wanted to bump it but the patches were already removed/cleaned from the
mirrors again.
Hint: The patchset must be uploaded again.
Shite... forgot that. I'll do it in a minute. Thanks Torsten.
- ferdy
Well... mutt-1.5.16 has been on the tree with a fix since:
---8<---
Comment #11 From Fernando J. Pereda 2007-08-08 09:42:59 0000
---8<---
That is, thirteen days. Also, stabilization of that version has been handled in
bug #178003 and all security supported archs already marked it as such.
Is there anything I'm missing?
- ferdy
Sorry ferdy I forgot about the other bug.
finally closing without GLSA wrt the discussion on bug 178003, feel free to
reopen if you disagree.
