Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 491372 (CVE-2013-4584) - net-mail/perdition : ssl_outgoing_ciphers not applied to STARTTLS connections
Summary: net-mail/perdition : ssl_outgoing_ciphers not applied to STARTTLS connections
Status: RESOLVED FIXED
Alias: CVE-2013-4584
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: ~3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-11-15 20:23 UTC by Agostino Sarubbo
Modified: 2016-04-01 03:05 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-11-15 20:23:51 UTC
From ${URL} :

Perdition, the IMAP and POP proxy server, fails to apply the
administrator's specified ciphersuite preferences when making outbound
connections to IMAP and POP servers using STARTTLS.  For these outbound
connections, it applies the administrator's listening ciphersuite
preferences, which in many cases may be significantly weaker.

This was first noted publicly on the debian BTS:

  http://bugs.debian.org/729028

All versions of perdition up to 2.0 appear to be affected, and the fix
is a one-line patch.

This is not a critical vulnerability (it can be mitigated, for example,
by enforcing a strict minimalist ciphersuite on the backend server), but
in the absence of any such mitigation, it may cause the connections
between the proxy server and the backend server to negotiate a weaker
ciphersuite than the administrator's stated intent.


@maintainer(s): since the package has never been marked as stable, we don't need to stabilize it. Please remove the affected versions from the tree.
Comment 1 Aaron Bauman (RETIRED) gentoo-dev 2016-03-05 08:37:27 UTC
# Aaron Bauman <bman@gentoo.org> (05 Mar 2016)
# Per security bug #491372 this package is vulnerable
# and unmaintained.  Removal in 30 days.
net-mail/perdition