281559 – <mail-filter/mailfilter-0.8.2 APOP design error (CVE-2007-1558)

Bug 281559 - <mail-filter/mailfilter-0.8.2 APOP design error (CVE-2007-1558)

Summary: <mail-filter/mailfilter-0.8.2 APOP design error (CVE-2007-1558)

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High minor
Assignee:	Gentoo Security

URL:	http://cve.mitre.org/cgi-bin/cvename....
Whiteboard:	B3 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2009-08-15 09:29 UTC by Robert Buchholz (RETIRED)
Modified:	2009-08-31 07:32 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Robert Buchholz (RETIRED) gentoo-dev

2009-08-15 09:29:33 UTC

+++ This bug was initially created as a clone of Bug #175021 +++

The APOP protocol allows remote attackers to guess the first 3 characters of a password via man-in-the-middle (MITM) attacks that use crafted message IDs and MD5 collisions.

Mailfilter 0.8.2 is now out and added the mitigation mutt added a while 
ago: http://mailfilter.sourceforge.net/NEWS

patch:
http://mailfilter.svn.sourceforge.net/viewvc/mailfilter?view=rev&revision=17

Comment 1 Torsten Veller (RETIRED) gentoo-dev

2009-08-15 11:12:36 UTC

0.8.2 is in the tree now.

Comment 2 Robert Buchholz (RETIRED) gentoo-dev

2009-08-15 11:40:12 UTC

Arches, please test and mark stable:
=mail-filter/mailfilter-0.8.2
Target keywords : "ppc sparc x86"

Comment 3 Christian Faulhammer (RETIRED) gentoo-dev

2009-08-16 08:51:01 UTC

x86 stable

Comment 4 nixnut (RETIRED) gentoo-dev

2009-08-23 10:05:45 UTC

ppc stable

Comment 5 Raúl Porcel (RETIRED) gentoo-dev

2009-08-28 12:05:02 UTC

sparc stable

Comment 6 Alex Legler (RETIRED) archtester

2009-08-31 07:32:20 UTC

Closing noglsa in line with the other CVE-2007-1558 bugs.