Summary: | <mail-client/trojita-0.4.1 : ssl stripping (CVE-2014-2567) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | trivial | CC: | jkt |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.openwall.com/lists/oss-security/2014/03/19/21 | ||
Whiteboard: | ~4 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2014-03-20 08:30:52 UTC
This is now CVE-2014-2567. Upstream release 0.4.1 (on sourceforge, sha1sum 3db0c6736db9834630dc8bcded00707cfef60a20) fixes the problem. Please fix this by a version bump. +*trojita-0.4.1 (21 Mar 2014) + + 21 Mar 2014; Agostino Sarubbo <ago@gentoo.org> +trojita-0.4.1.ebuild: + Version bump to 0.4.1 to fix CVE-2014-2567, wrt bug #505146 CVE-2014-2567 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2567): The OpenConnectionTask::handleStateHelper function in Imap/Tasks/OpenConnectionTask.cpp in Trojita before 0.4.1 allows man-in-the-middle attackers to trigger use of cleartext for saving a message into a (1) sent or (2) draft folder via a PREAUTH response that prevents later use of the STARTTLS command. Thanks all. Removing kde + qt from cc. Nothing to do here anymore. |