Summary: | <net-mail/getmail-4.46.0: various flaws related to IMAP4-over-SSL certificate validation (CVE-2014-{7273,7274,7275}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | net-mail+disabled |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugzilla.redhat.com/show_bug.cgi?id=1149728 | ||
Whiteboard: | B3 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2014-10-07 09:45:28 UTC
4.46 has been in the tree for a long time, feel free to stabilize it. Arches, please test and mark stable: =net-mail/getmail-4.46.0 Target keywords : "amd64 ppc x86" amd64 stable ppc stable x86 stable. Maintainer(s), please cleanup. Security, please vote. CVE-2014-7275 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7275): The POP3-over-SSL implementation in getmail 4.0.0 through 4.44.0 does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof POP3 servers and obtain sensitive information via a crafted certificate. CVE-2014-7274 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7274): The IMAP-over-SSL implementation in getmail 4.44.0 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) field of the X.509 certificate, which allows man-in-the-middle attackers to spoof IMAP servers and obtain sensitive information via a crafted certificate from a recognized Certification Authority. CVE-2014-7273 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7273): The IMAP-over-SSL implementation in getmail 4.0.0 through 4.43.0 does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof IMAP servers and obtain sensitive information via a crafted certificate. Arches, Thank you for your work Maintainer(s), please drop the vulnerable version. GLSA Vote: Yes GLSA vote: yes glsa filed. Maintainer(s), Thank you for cleanup! This issue was resolved and addressed in GLSA 201412-50 at http://security.gentoo.org/glsa/glsa-201412-50.xml by GLSA coordinator Mikle Kolyada (Zlogene). |