Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 176808

Summary: mail-client/sylpheed APOP design error (CVE-2007-1558)
Product: Gentoo Security Reporter: Sune Kloppenborg Jeppesen (RETIRED) <jaervosz>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: net-mail+disabled
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1558
Whiteboard: B3 [noglsa] jaervosz
Package list:
Runtime testing required: ---

Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-05-02 13:03:06 UTC 
+++ This bug was initially created as a clone of Bug #175021 +++

The APOP protocol allows remote attackers to guess the first 3 characters of a password via man-in-the-middle (MITM) attacks that use crafted message IDs and MD5 collisions.
Comment 1 Raúl Porcel (RETIRED) gentoo-dev 2007-05-02 13:07:41 UTC 
mail-client/sylpheed-claws-2.4.0 which is already in the tree fixes this security bug.
Comment 2 Jakub Moc (RETIRED) gentoo-dev 2007-05-02 14:36:11 UTC 
mail-client/sylpheed-claws is dead dummy ebuild (and there's no 2.4.0 in the tree)

*** This bug has been marked as a duplicate of bug 176805 ***
Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-05-02 14:56:49 UTC 
Typo in package name, affected package is sylpheed (all those claws apparently got me confused).

Arches please test and mark stable. Target keywords are:

sylpheed-2.4.0.ebuild:KEYWORDS="~alpha amd64 hppa ia64 ppc ppc64 sparc x86"
Comment 4 Gustavo Zacarias (RETIRED) gentoo-dev 2007-05-02 15:41:27 UTC 
sparc stable.
Comment 5 Markus Rothe (RETIRED) gentoo-dev 2007-05-02 16:43:05 UTC 
ppc64 stable
Comment 6 Andrej Kacian (RETIRED) gentoo-dev 2007-05-02 19:25:59 UTC 
x86 done
Comment 7 Raúl Porcel (RETIRED) gentoo-dev 2007-05-02 20:15:36 UTC 
ia64 stable
Comment 8 Tobias Scherbaum (RETIRED) gentoo-dev 2007-05-03 18:52:16 UTC 
ppc stable
Comment 9 Steve Dibb (RETIRED) gentoo-dev 2007-05-03 19:17:09 UTC 
amd64 stable
Comment 10 Jeroen Roovers (RETIRED) gentoo-dev 2007-05-05 12:37:00 UTC 
Sorry for the late response. Stable for HPPA.
Comment 11 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-05-19 22:54:17 UTC 
This one is ready for GLSA vote. I tend to vote NO.
Comment 12 Daniel Black (RETIRED) gentoo-dev 2007-05-19 23:03:49 UTC 
voting no
Comment 13 Vic Fryzel (shellsage) (RETIRED) gentoo-dev 2007-05-20 15:30:56 UTC 
No again.
Comment 14 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-05-20 16:08:25 UTC 
Closing with NO GLSA.