From ${URL} : Marcus Meissner reported that the Claws Mail's RSSyl plug-in, an RSS feed aggregator, does not verify SSL certificates: http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=3106 This allows for man-in-the-middle attacks. This issue was assigned CVE-2014-2576: http://seclists.org/oss-sec/2014/q1/636 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
This issue is fixed upstream in claws-mail 3.10.0: Implement SSL certificate verification option (default, and per-feed). Fixes bug #3106, "Rssyl plugin does not verify SSL peer at all" http://git.claws-mail.org/?p=claws.git;a=commit;h=123cf6fbfe84f47d6bf277efc835a1b353ed0c94
CVE-2014-2576 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2576): plugins/rssyl/feed.c in Claws Mail before 3.10.0 disables the CURLOPT_SSL_VERIFYHOST check for CN or SAN host name fields, which makes it easier for remote attackers to spoof servers and conduct man-in-the-middle (MITM) attacks.
Maintainer(s): Since ebuild for 3.10.1 is in the three. Please let us know when the ebuild is ready for stabilization, or call for stabilization.
Sorry my fault. Wrong package.(In reply to Yury German from comment #3) > Maintainer(s): Since ebuild for 3.10.1 is in the three. Please let us know > when the ebuild is ready for stabilization, or call for stabilization. My fault wrong package. Setting back to Ebuild
this package was removed
Package was removed from tree. GLSA Vote: No