CVE-2009-3942 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3942): Martin Lambers msmtp before 1.4.19, when OpenSSL is used, does not properly handle a '\0' character in a domain name in the (1) subject's Common Name or (2) Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.
I'm preparing a non-maintainer commit to .19. Removing bug 301036 as dependency to track the .20 bump in there.
+*msmtp-1.4.19 (02 Apr 2010) + + 02 Apr 2010; Alex Legler <a3li@gentoo.org> -msmtp-1.4.9.ebuild, + -msmtp-1.4.14.ebuild, -msmtp-1.4.16.ebuild, -msmtp-1.4.17.ebuild, + +msmtp-1.4.19.ebuild: + Non-maintainer commit: Version bump for security bug 293647. Removing + unneeded vulnerable versions. +
Arches, please test and mark stable: =mail-mta/msmtp-1.4.19 Target keywords : "amd64 ia64 ppc ppc64 sparc x86"
Tests passed successfully on x86.
x86 stable, thanks Andreas
alpha/ia64/sparc stable
ppc64 done
ppc done
amd64 stable, all arches done.
+ 17 Apr 2010; Alex Legler <a3li@gentoo.org> -msmtp-1.4.5.ebuild, + -msmtp-1.4.7.ebuild: + Removing vulnerable ebuilds, bug 293647. GLSA voting: YES
glsa request filed.
This issue was resolved and addressed in GLSA 201206-34 at http://security.gentoo.org/glsa/glsa-201206-34.xml by GLSA coordinator Stefan Behte (craig).