514478 – (CVE-2014-2014) <net-mail/imapsync-1.592-r1: Attempts a cleartext login when a certificate verification failure occurs over TLS (CVE-2014-2014)

Bug 514478 (CVE-2014-2014) - <net-mail/imapsync-1.592-r1: Attempts a cleartext login when a certificate verification failure occurs over TLS (CVE-2014-2014)

Summary: <net-mail/imapsync-1.592-r1: Attempts a cleartext login when a certificate ve...

Status:	RESOLVED FIXED

Alias:	CVE-2014-2014

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	http://web.nvd.nist.gov/view/vuln/det...
Whiteboard:	B3 [noglsa]
Keywords:

Duplicates (1):	522458 (view as bug list)
Depends on:
Blocks:	CVE-2013-4279
	Show dependency tree

Reported:	2014-06-22 19:09 UTC by Kristian Fiskerstrand (RETIRED)
Modified:	2015-12-31 04:39 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Kristian Fiskerstrand (RETIRED) gentoo-dev

2014-06-22 19:09:30 UTC

imapsync before 1.584, when running with the --tls option, attempts a cleartext login when a certificate verification failure occurs, which allows remote attackers to obtain credentials by sniffing the network.

@maintainers: Is the current 1.592 in tree ready for stabilization?

Comment 1 Yury German Gentoo Infrastructure

2014-09-09 21:20:53 UTC

*** Bug 522458 has been marked as a duplicate of this bug. ***

Comment 2 GLSAMaker/CVETool Bot gentoo-dev

2014-09-09 22:43:56 UTC

CVE-2014-2014 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2014):
  imapsync before 1.584, when running with the --tls option, attempts a
  cleartext login when a certificate verification failure occurs, which allows
  remote attackers to obtain credentials by sniffing the network.

Comment 3 Yury German Gentoo Infrastructure

2014-09-09 22:45:32 UTC

http://ks.lamiral.info/imapsync/ version information

Comment 4 Yury German Gentoo Infrastructure

2014-09-17 14:09:04 UTC

Version added to tree on 23 Jun 2014. No bugs in Bugzilla against it, 30 day window met. Calling for stabilization.

Arches, please test and mark stable:

=net-mail/imapsync-1.592-r1

Target Keywords : "amd64 ppc x86"

Thank you!

Comment 5 Agostino Sarubbo gentoo-dev

2014-09-18 13:18:37 UTC

amd64 stable

Comment 6 Agostino Sarubbo gentoo-dev

2014-09-18 13:19:04 UTC

x86 stable

Comment 7 Agostino Sarubbo gentoo-dev

2014-10-05 15:05:53 UTC

ppc stable.

Maintainer(s), please cleanup.
Security, please vote.

Comment 8 Kristian Fiskerstrand (RETIRED) gentoo-dev

2014-10-05 17:09:16 UTC

(In reply to Agostino Sarubbo from comment #7)
> ppc stable.
> 
> Maintainer(s), please cleanup.
> Security, please vote.

GLSA Vote: Yes

Comment 9 Manuel Rüger (RETIRED) gentoo-dev

2015-08-27 18:25:27 UTC

 04 Dec 2014; Tim Harder <radhermit@gentoo.org> -imapsync-1.567.ebuild,
 	  -imapsync-1.584-r1.ebuild:
	  Remove old.

Comment 10 Stefan Behte (RETIRED) gentoo-dev

2015-11-09 22:05:53 UTC

Vote: NO.

Comment 11 Yury German Gentoo Infrastructure

2015-12-31 04:39:25 UTC

GLSA Vote: No
Thank you all. Closing as noglsa.