Summary: | <net-mail/fetchmail-6.3.11 : Improper SSL certificate subject verification (CVE-2009-2666) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Torsten Veller (RETIRED) <tove> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | net-mail+disabled |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.fetchmail.info/fetchmail-SA-2009-01.txt | ||
Whiteboard: | B3 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Torsten Veller (RETIRED)
2009-08-06 07:07:58 UTC
Arches, please test and mark stable: =net-mail/fetchmail-6.3.11 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86" USE=krb4 requires app-crypt/mit-krb5 built with USE=krb4, which is only available for < mit-krb5-1.7. I adjusted the dependency. x86 stable. ppc64 done CVE-2009-2666 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2666): socket.c in fetchmail before 6.3.11 does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408. Stable for HPPA. ppc stable alpha/arm/ia64/s390/sh/sparc stable amd64 stable, all arches done. GLSA voting: yes Yes, too. Request filed. GLSA 201006-12 |