Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 390887 (CVE-2011-4318)

Summary: <net-mail/dovecot-2.0.16: Possible Man-in-the-Middle Attacks (CVE-2011-4318)
Product: Gentoo Security Reporter: Tim Sammut (RETIRED) <underling>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: eras, net-mail+disabled, toto
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.dovecot.org/list/dovecot-news/2011-November/000200.html
Whiteboard: B4 [noglsa]
Package list:
Runtime testing required: ---

Description Tim Sammut (RETIRED) gentoo-dev 2011-11-17 23:32:04 UTC
From the third-party advisory at https://secunia.com/advisories/46886/:

A security issue has been reported in Dovecot, which can be exploited by malicious people to conduct spoofing attacks.

The security issue is caused due the application not properly checking if the "Common Name" field provided inside SSL server certificates matches the requested hostname of a server. This can be exploited to e.g. conduct Man-in-the-Middle (MitM) attacks.

Successful exploitation requires that the application is configured to check for certificates.

The security issue is reported in versions prior to 2.0.16.

@Eray or @net-mail, 2.0.16 is already in the tree. Ok to stabilize it? Thanks.
Comment 1 Eray Aslan gentoo-dev 2011-11-18 03:53:06 UTC
@security:  Please stabilize =net-mail/dovecot-2.0.16. Thank you.
Comment 2 Tim Sammut (RETIRED) gentoo-dev 2011-11-18 05:19:40 UTC
Cool, thanks.

Arches, please test and mark stable:
=net-mail/dovecot-2.0.16
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2011-11-18 05:23:23 UTC
Stable for HPPA.
Comment 4 Agostino Sarubbo gentoo-dev 2011-11-18 11:45:03 UTC
amd64 ok
Comment 5 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-11-22 16:16:12 UTC
x86 stable
Comment 6 Markus Meier gentoo-dev 2011-11-23 05:57:25 UTC
arm stable
Comment 7 Michael Harrison 2011-11-24 03:31:30 UTC
Second ago; amd64 ok
Comment 8 Markos Chandras (RETIRED) gentoo-dev 2011-11-25 23:57:40 UTC
amd64 done. Thanks Agostino and Michael
Comment 9 Raúl Porcel (RETIRED) gentoo-dev 2011-11-26 12:57:31 UTC
alpha/ia64/sparc stable
Comment 10 Mark Loeser (RETIRED) gentoo-dev 2011-12-18 21:56:35 UTC
ppc/ppc64 done
Comment 11 Tim Sammut (RETIRED) gentoo-dev 2011-12-18 22:01:55 UTC
Thanks, folks. GLSA Vote: yes.
Comment 12 toto 2012-02-14 17:31:02 UTC
2.0.16 broken server with vpopmail
from changelog 2.0.17 "vpopmail support was broken in v2.0.16"
Comment 13 Stefan Behte (RETIRED) gentoo-dev Security 2012-03-06 01:13:03 UTC
Vote: No.
Comment 14 Sean Amoss (RETIRED) gentoo-dev Security 2012-03-06 21:33:07 UTC
Vote: no.

Closing noglsa.