525588 – <mail-client/claws-mail-3.12.0: only uses vulnerable SSLv3 (CVE-2014-3566)

Bug 525588 - <mail-client/claws-mail-3.12.0: only uses vulnerable SSLv3 (CVE-2014-3566)

Summary: <mail-client/claws-mail-3.12.0: only uses vulnerable SSLv3 (CVE-2014-3566)

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	B4 [glsa]
Keywords:

Duplicates (1):	531180 (view as bug list)
Depends on:	CVE-2015-8614 CVE-2015-8708
Blocks:
	Show dependency tree

Reported:	2014-10-16 18:25 UTC by Brian Denton
Modified:	2016-06-26 12:42 UTC (History)
CC List:	6 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Brian Denton 2014-10-16 18:25:17 UTC

Only sslv3 is used by the current claws mail...

saw this...
>> The last commit in Claws Mail GIT repository might resolve your
>> issue. 
here...
http://claws-mail.org/pipermail/users/2014-September/010696.html

So I believe it is fixed in a newer version.

Reproducible: Always

Steps to Reproduce:
check email pop3 ssl
Actual Results:  
sslv3 negotiation failure (I disabled sslv3 for my dovecot server)

Expected Results:  
get muh emailz

Comment 1 Alexander Tsoy 2014-10-20 14:04:45 UTC

(In reply to Brian Denton from comment #0)

> Steps to Reproduce:
> check email pop3 ssl
> Actual Results:  
> sslv3 negotiation failure (I disabled sslv3 for my dovecot server)

I also have dovecot with disabled SSLv3 and I have no issues with claws-mail-3.10.1.


As for disabling SSLv3 entirely in claws-mail, the following commits should do it:

http://git.claws-mail.org/?p=claws.git;a=patch;h=6ab4f38a4f6e8c541fd6df93d7221bfc14fe7d7f;hp=7d0fc8614bba03387110f92587cd3de3b0e4152d
http://git.claws-mail.org/?p=claws.git;a=patch;h=c6dc3e229f361f11ab4920d84bb11b5821bc4e86;hp=dc8728ee3222dbe49cdac81e6dc72b2ba206a046

First patch applies only after removing the AUTHORS hunk. Second patch applies cleanly.

Comment 2 Alexander Tsoy 2014-10-20 16:12:59 UTC

And the first patch might actually solve your problem. See the original message you quoted (also dated Aug 28):

http://claws-mail.org/pipermail/users/2014-August/010626.html

Comment 3 Jeroen Roovers (RETIRED) gentoo-dev

2014-11-23 07:31:05 UTC

3.11.0 is the first release that disables SSL v3 by default. 3.11.1 is in the tree.

Comment 4 Kristian Fiskerstrand (RETIRED) gentoo-dev

2014-12-09 17:47:16 UTC

@maintainers: is 3.11.1 ready for stabilization?

Comment 5 Jeroen Roovers (RETIRED) gentoo-dev

2014-12-09 20:13:10 UTC

*** Bug 531180 has been marked as a duplicate of this bug. ***

Comment 6 Christian Tietz 2015-01-18 00:14:09 UTC

With 3.11.1 being long enough in the tree, I would again like to ask for stabilization. Isn't it about time to finally fix this for stable branch as well?

Comment 7 Roland Ramthun 2015-05-19 19:24:42 UTC

This still is not fixed. As many servers have disabled SSLv3 now, you can't connect to any of them with the current stable version.

Comment 8 Yury German Gentoo Infrastructure

2016-04-26 06:37:39 UTC

Added to an existing GLSA Request.

Comment 9 Stefan Richter 2016-04-26 13:42:06 UTC

Isn't this bug obsolete?
There is only mail-client/claws-mail-3.13.2 in portage now.

Comment 10 Yury German Gentoo Infrastructure

2016-04-26 13:57:39 UTC

Not from security perspective the GLSA still has to be released.

Comment 11 GLSAMaker/CVETool Bot gentoo-dev

2016-06-26 12:42:35 UTC

This issue was resolved and addressed in
 GLSA 201606-11 at https://security.gentoo.org/glsa/201606-11
by GLSA coordinator Aaron Bauman (b-man).