Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 525588

Summary: <mail-client/claws-mail-3.12.0: only uses vulnerable SSLv3 (CVE-2014-3566)
Product: Gentoo Security Reporter: Brian Denton <gentoo>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: alexander, christian.tietz, jer, net-mail+disabled, polynomial-c, stefan-r-bz
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B4 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 569010, 570692    
Bug Blocks:    

Description Brian Denton 2014-10-16 18:25:17 UTC
Only sslv3 is used by the current claws mail...

saw this...
>> The last commit in Claws Mail GIT repository might resolve your
>> issue. 
here...
http://claws-mail.org/pipermail/users/2014-September/010696.html

So I believe it is fixed in a newer version.

Reproducible: Always

Steps to Reproduce:
check email pop3 ssl
Actual Results:  
sslv3 negotiation failure (I disabled sslv3 for my dovecot server)

Expected Results:  
get muh emailz
Comment 1 Alexander Tsoy 2014-10-20 14:04:45 UTC
(In reply to Brian Denton from comment #0)

> Steps to Reproduce:
> check email pop3 ssl
> Actual Results:  
> sslv3 negotiation failure (I disabled sslv3 for my dovecot server)

I also have dovecot with disabled SSLv3 and I have no issues with claws-mail-3.10.1.


As for disabling SSLv3 entirely in claws-mail, the following commits should do it:

http://git.claws-mail.org/?p=claws.git;a=patch;h=6ab4f38a4f6e8c541fd6df93d7221bfc14fe7d7f;hp=7d0fc8614bba03387110f92587cd3de3b0e4152d
http://git.claws-mail.org/?p=claws.git;a=patch;h=c6dc3e229f361f11ab4920d84bb11b5821bc4e86;hp=dc8728ee3222dbe49cdac81e6dc72b2ba206a046

First patch applies only after removing the AUTHORS hunk. Second patch applies cleanly.
Comment 2 Alexander Tsoy 2014-10-20 16:12:59 UTC
And the first patch might actually solve your problem. See the original message you quoted (also dated Aug 28):

http://claws-mail.org/pipermail/users/2014-August/010626.html
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2014-11-23 07:31:05 UTC
3.11.0 is the first release that disables SSL v3 by default. 3.11.1 is in the tree.
Comment 4 Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-12-09 17:47:16 UTC
@maintainers: is 3.11.1 ready for stabilization?
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2014-12-09 20:13:10 UTC
*** Bug 531180 has been marked as a duplicate of this bug. ***
Comment 6 Christian Tietz 2015-01-18 00:14:09 UTC
With 3.11.1 being long enough in the tree, I would again like to ask for stabilization. Isn't it about time to finally fix this for stable branch as well?
Comment 7 Roland Ramthun 2015-05-19 19:24:42 UTC
This still is not fixed. As many servers have disabled SSLv3 now, you can't connect to any of them with the current stable version.
Comment 8 Yury German Gentoo Infrastructure gentoo-dev 2016-04-26 06:37:39 UTC
Added to an existing GLSA Request.
Comment 9 Stefan Richter 2016-04-26 13:42:06 UTC
Isn't this bug obsolete?
There is only mail-client/claws-mail-3.13.2 in portage now.
Comment 10 Yury German Gentoo Infrastructure gentoo-dev 2016-04-26 13:57:39 UTC
Not from security perspective the GLSA still has to be released.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2016-06-26 12:42:35 UTC
This issue was resolved and addressed in
 GLSA 201606-11 at https://security.gentoo.org/glsa/201606-11
by GLSA coordinator Aaron Bauman (b-man).