176808 – mail-client/sylpheed APOP design error (CVE-2007-1558)

Bug 176808 - mail-client/sylpheed APOP design error (CVE-2007-1558)

Summary: mail-client/sylpheed APOP design error (CVE-2007-1558)

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High normal (vote)
Assignee:	Gentoo Security

URL:	http://cve.mitre.org/cgi-bin/cvename....
Whiteboard:	B3 [noglsa] jaervosz
Keywords:

Depends on:
Blocks:

Reported:	2007-05-02 13:03 UTC by Sune Kloppenborg Jeppesen (RETIRED)
Modified:	2007-05-20 16:08 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2007-05-02 13:03:06 UTC

+++ This bug was initially created as a clone of Bug #175021 +++

The APOP protocol allows remote attackers to guess the first 3 characters of a password via man-in-the-middle (MITM) attacks that use crafted message IDs and MD5 collisions.

Comment 1 Raúl Porcel (RETIRED) gentoo-dev

2007-05-02 13:07:41 UTC

mail-client/sylpheed-claws-2.4.0 which is already in the tree fixes this security bug.

Comment 2 Jakub Moc (RETIRED) gentoo-dev

2007-05-02 14:36:11 UTC

mail-client/sylpheed-claws is dead dummy ebuild (and there's no 2.4.0 in the tree)

*** This bug has been marked as a duplicate of bug 176805 ***

Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2007-05-02 14:56:49 UTC

Typo in package name, affected package is sylpheed (all those claws apparently got me confused).

Arches please test and mark stable. Target keywords are:

sylpheed-2.4.0.ebuild:KEYWORDS="~alpha amd64 hppa ia64 ppc ppc64 sparc x86"

Comment 4 Gustavo Zacarias (RETIRED) gentoo-dev

2007-05-02 15:41:27 UTC

sparc stable.

Comment 5 Markus Rothe (RETIRED) gentoo-dev

2007-05-02 16:43:05 UTC

ppc64 stable

Comment 6 Andrej Kacian (RETIRED) gentoo-dev

2007-05-02 19:25:59 UTC

x86 done

Comment 7 Raúl Porcel (RETIRED) gentoo-dev

2007-05-02 20:15:36 UTC

ia64 stable

Comment 8 Tobias Scherbaum (RETIRED) gentoo-dev

2007-05-03 18:52:16 UTC

ppc stable

Comment 9 Steve Dibb (RETIRED) gentoo-dev

2007-05-03 19:17:09 UTC

amd64 stable

Comment 10 Jeroen Roovers (RETIRED) gentoo-dev

2007-05-05 12:37:00 UTC

Sorry for the late response. Stable for HPPA.

Comment 11 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2007-05-19 22:54:17 UTC

This one is ready for GLSA vote. I tend to vote NO.

Comment 12 Daniel Black (RETIRED) gentoo-dev

2007-05-19 23:03:49 UTC

voting no

Comment 13 Vic Fryzel (shellsage) (RETIRED) gentoo-dev

2007-05-20 15:30:56 UTC

No again.

Comment 14 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2007-05-20 16:08:25 UTC

Closing with NO GLSA.