imapsync before 1.584, when running with the --tls option, attempts a cleartext login when a certificate verification failure occurs, which allows remote attackers to obtain credentials by sniffing the network. @maintainers: Is the current 1.592 in tree ready for stabilization?
*** Bug 522458 has been marked as a duplicate of this bug. ***
CVE-2014-2014 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2014): imapsync before 1.584, when running with the --tls option, attempts a cleartext login when a certificate verification failure occurs, which allows remote attackers to obtain credentials by sniffing the network.
http://ks.lamiral.info/imapsync/ version information
Version added to tree on 23 Jun 2014. No bugs in Bugzilla against it, 30 day window met. Calling for stabilization. Arches, please test and mark stable: =net-mail/imapsync-1.592-r1 Target Keywords : "amd64 ppc x86" Thank you!
amd64 stable
x86 stable
ppc stable. Maintainer(s), please cleanup. Security, please vote.
(In reply to Agostino Sarubbo from comment #7) > ppc stable. > > Maintainer(s), please cleanup. > Security, please vote. GLSA Vote: Yes
04 Dec 2014; Tim Harder <radhermit@gentoo.org> -imapsync-1.567.ebuild, -imapsync-1.584-r1.ebuild: Remove old.
Vote: NO.
GLSA Vote: No Thank you all. Closing as noglsa.