First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 175023
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Sune Kloppenborg Jeppesen <jaervosz@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 175023 depends on: 178003 Show dependency tree
Bug 175023 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2007-04-18 05:24 0000 
The APOP protocol allows remote attackers to guess the first 3 characters of a
password via man-in-the-middle (MITM) attacks that use crafted message IDs and
MD5 collisions.

------- Comment #1 From Sune Kloppenborg Jeppesen 2007-05-02 11:16:08 0000 ------- 
net-mail any news on this one?

------- Comment #2 From Fernando J. Pereda (RETIRED) 2007-05-08 19:23:11 0000 ------- 
Ouch... helps if I'm actually CCed :P

I'll see if upstream has released something related to this. Though I'm a bit
busy these days so I'd apreciate if someone does it.

Cheers.

- ferdy

------- Comment #3 From Sune Kloppenborg Jeppesen 2007-06-10 08:09:24 0000 ------- 
ferdy, any news on this one?

------- Comment #4 From Fernando J. Pereda (RETIRED) 2007-06-10 11:59:19 0000 ------- 
Sorry for the delay, I'm in exams period and haven't paid lots of attention to
Gentoo these days.

Mutt-1.5.16 has just been released with a fix for this. I'll provide an updated
ebuild soon.

- ferdy

------- Comment #5 From Sune Kloppenborg Jeppesen 2007-06-16 06:28:57 0000 ------- 
ferdy any news on this one?

------- Comment #6 From Fernando J. Pereda (RETIRED) 2007-06-16 18:57:51 0000 ------- 
I have everything ready, but the sidebar patch hasn't been updated by its
upstream. I'm currently uploading the patchset to the mirrors so it is ready
once the sidebar patch is ready.

- ferd

------- Comment #7 From Sune Kloppenborg Jeppesen 2007-06-16 19:40:43 0000 ------- 
Thanks for the stats update. Please post again once the ebuild is committed.

------- Comment #8 From Sune Kloppenborg Jeppesen 2007-07-01 02:14:55 0000 ------- 
Ferdy, any news here?

------- Comment #9 From Pierre-Yves Rofes 2007-07-14 22:32:52 0000 ------- 
any news here?

------- Comment #10 From Pierre-Yves Rofes 2007-08-01 12:25:35 0000 ------- 
ferdy/net-mail, what's the status here?

------- Comment #11 From Fernando J. Pereda (RETIRED) 2007-08-08 09:42:59 0000 ------- 
The status is that I've been away and not every patch was ready when I wasn't
away. The hard part of the job was done as stated in comment #6 so anyone
could've finished it during my month off.

Anyway, everything should be ready now and I commited mail-client/mutt-1.5.16 a
couple of minutes ago.

- ferdy

------- Comment #12 From Torsten Veller 2007-08-08 10:00:29 0000 ------- 
(In reply to comment #6)
> I have everything ready, but the sidebar patch hasn't been updated by its
> upstream. I'm currently uploading the patchset to the mirrors so it is ready
> once the sidebar patch is ready.

(In reply to comment #11)
> The hard part of the job was done as stated in comment #6 so anyone
> could've finished it during my month off.

I wanted to bump it but the patches were already removed/cleaned from the
mirrors again.
Hint: The patchset must be uploaded again.

------- Comment #13 From Fernando J. Pereda (RETIRED) 2007-08-08 10:05:28 0000 ------- 
Shite... forgot that. I'll do it in a minute. Thanks Torsten.

- ferdy

------- Comment #14 From Sune Kloppenborg Jeppesen 2007-08-21 06:15:27 0000 ------- 
Ferdy, any news here?

------- Comment #15 From Fernando J. Pereda (RETIRED) 2007-08-21 06:27:43 0000 ------- 
Well... mutt-1.5.16 has been on the tree with a fix since:

---8<---
Comment  #11 From Fernando J. Pereda  2007-08-08 09:42:59 0000 
---8<---

That is, thirteen days. Also, stabilization of that version has been handled in
bug #178003 and all security supported archs already marked it as such.

Is there anything I'm missing?

- ferdy

------- Comment #16 From Sune Kloppenborg Jeppesen 2007-08-21 20:32:03 0000 ------- 
Sorry ferdy I forgot about the other bug.

------- Comment #17 From Pierre-Yves Rofes 2007-09-01 21:35:47 0000 ------- 
finally closing without GLSA wrt the discussion on bug 178003, feel free to
reopen  if you disagree.
First Last Prev Next    No search results available      Search page      Enter new bug