Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 359257 (CVE-2011-1429) - net-mail/mutt: SMTP TLS Certificate Security Bypass Vulnerability (CVE-2011-1429)
Summary: net-mail/mutt: SMTP TLS Certificate Security Bypass Vulnerability (CVE-2011-1...
Status: RESOLVED FIXED
Alias: CVE-2011-1429
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://seclists.org/fulldisclosure/20...
Whiteboard: B4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2011-03-17 10:17 UTC by Paweł Hajdan, Jr. (RETIRED)
Modified: 2014-06-05 08:49 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-03-17 10:17:54 UTC 
Mutt does not verify that the smtps server hostname matches the domain name of the subject of an X.509 certificate, which allows man-in-the-middle attackers to spoof an SSL SMTP server via an arbitrary certificate, a different vulnerability than CVE-2009-3766.

http://seclists.org/fulldisclosure/2011/Mar/87
Comment 1 Fabian Groffen gentoo-dev 2011-03-17 10:43:04 UTC 
Ok, this issue is reduced to gnutls only.  I'm fine with masking the gnutls USE-flag until a patch from upstream is submitted.

I think this corresponds to upstream bug
http://dev.mutt.org/trac/ticket/3506
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2011-06-20 18:39:37 UTC 
CVE-2011-1429 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1429):
  Mutt does not verify that the smtps server hostname matches the domain name
  of the subject of an X.509 certificate, which allows man-in-the-middle
  attackers to spoof an SSL SMTP server via an arbitrary certificate, a
  different vulnerability than CVE-2009-3766.
Comment 3 Chris Reffett (RETIRED) gentoo-dev Security 2013-09-03 18:30:56 UTC 
Patch available at [1], not sure if it's in any current mutt versions.
[1] http://dev.mutt.org/trac/changeset/d7f4b2e2b09a
Comment 4 Fabian Groffen gentoo-dev 2013-09-03 18:48:26 UTC 
nope it's not in, we'll have to pick that one
Comment 5 Fabian Groffen gentoo-dev 2013-09-09 19:15:45 UTC 
this should be in 1.5.21-r13
Comment 6 Sergey Popov gentoo-dev 2014-06-05 08:49:44 UTC 
Covered by GLSA 201406-05