Summary: | <mail-client/claws-mail-3.12.0: only uses vulnerable SSLv3 (CVE-2014-3566) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Brian Denton <gentoo> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | alexander, christian.tietz, jer, net-mail+disabled, polynomial-c, stefan-r-bz |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B4 [glsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 569010, 570692 | ||
Bug Blocks: |
Description
Brian Denton
2014-10-16 18:25:17 UTC
(In reply to Brian Denton from comment #0) > Steps to Reproduce: > check email pop3 ssl > Actual Results: > sslv3 negotiation failure (I disabled sslv3 for my dovecot server) I also have dovecot with disabled SSLv3 and I have no issues with claws-mail-3.10.1. As for disabling SSLv3 entirely in claws-mail, the following commits should do it: http://git.claws-mail.org/?p=claws.git;a=patch;h=6ab4f38a4f6e8c541fd6df93d7221bfc14fe7d7f;hp=7d0fc8614bba03387110f92587cd3de3b0e4152d http://git.claws-mail.org/?p=claws.git;a=patch;h=c6dc3e229f361f11ab4920d84bb11b5821bc4e86;hp=dc8728ee3222dbe49cdac81e6dc72b2ba206a046 First patch applies only after removing the AUTHORS hunk. Second patch applies cleanly. And the first patch might actually solve your problem. See the original message you quoted (also dated Aug 28): http://claws-mail.org/pipermail/users/2014-August/010626.html 3.11.0 is the first release that disables SSL v3 by default. 3.11.1 is in the tree. @maintainers: is 3.11.1 ready for stabilization? *** Bug 531180 has been marked as a duplicate of this bug. *** With 3.11.1 being long enough in the tree, I would again like to ask for stabilization. Isn't it about time to finally fix this for stable branch as well? This still is not fixed. As many servers have disabled SSLv3 now, you can't connect to any of them with the current stable version. Added to an existing GLSA Request. Isn't this bug obsolete? There is only mail-client/claws-mail-3.13.2 in portage now. Not from security perspective the GLSA still has to be released. This issue was resolved and addressed in GLSA 201606-11 at https://security.gentoo.org/glsa/201606-11 by GLSA coordinator Aaron Bauman (b-man). |