Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 293647 (CVE-2009-3942) - <mail-mta/msmtp-1.4.19 X.509 NULL spoofing vulnerability (CVE-2009-3942)
Summary: <mail-mta/msmtp-1.4.19 X.509 NULL spoofing vulnerability (CVE-2009-3942)
Status: RESOLVED FIXED
Alias: CVE-2009-3942
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://msmtp.sourceforge.net/news.html
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2009-11-18 19:31 UTC by Stefan Behte (RETIRED)
Modified: 2012-06-25 19:11 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Behte (RETIRED) gentoo-dev Security 2009-11-18 19:31:38 UTC 
CVE-2009-3942 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3942):
  Martin Lambers msmtp before 1.4.19, when OpenSSL is used, does not
  properly handle a '\0' character in a domain name in the (1)
  subject's Common Name or (2) Subject Alternative Name field of an
  X.509 certificate, which allows man-in-the-middle attackers to spoof
  arbitrary SSL servers via a crafted certificate issued by a
  legitimate Certification Authority, a related issue to CVE-2009-2408.
Comment 1 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-04-02 16:01:15 UTC 
I'm preparing a non-maintainer commit to .19.
Removing bug 301036 as dependency to track the .20 bump in there.
Comment 2 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-04-02 16:18:07 UTC 
+*msmtp-1.4.19 (02 Apr 2010)
+
+  02 Apr 2010; Alex Legler <a3li@gentoo.org> -msmtp-1.4.9.ebuild,
+  -msmtp-1.4.14.ebuild, -msmtp-1.4.16.ebuild, -msmtp-1.4.17.ebuild,
+  +msmtp-1.4.19.ebuild:
+  Non-maintainer commit: Version bump for security bug 293647. Removing
+  unneeded vulnerable versions.
+
Comment 3 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-04-02 16:18:46 UTC 
Arches, please test and mark stable:
=mail-mta/msmtp-1.4.19
Target keywords : "amd64 ia64 ppc ppc64 sparc x86"
Comment 4 Andreas Schürch gentoo-dev 2010-04-02 18:19:53 UTC 
Tests passed successfully on x86.
Comment 5 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2010-04-03 13:49:04 UTC 
x86 stable, thanks Andreas
Comment 6 Raúl Porcel (RETIRED) gentoo-dev 2010-04-04 18:53:46 UTC 
alpha/ia64/sparc stable
Comment 7 Brent Baude (RETIRED) gentoo-dev 2010-04-06 18:31:57 UTC 
ppc64 done
Comment 8 Brent Baude (RETIRED) gentoo-dev 2010-04-15 14:53:10 UTC 
ppc done
Comment 9 Markus Meier gentoo-dev 2010-04-15 20:14:47 UTC 
amd64 stable, all arches done.
Comment 10 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-04-17 18:54:43 UTC 
+  17 Apr 2010; Alex Legler <a3li@gentoo.org> -msmtp-1.4.5.ebuild,
+  -msmtp-1.4.7.ebuild:
+  Removing vulnerable ebuilds, bug 293647.


GLSA voting: YES
Comment 11 Stefan Behte (RETIRED) gentoo-dev Security 2010-08-01 13:28:08 UTC 
glsa request filed.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2012-06-25 19:11:35 UTC 
This issue was resolved and addressed in
 GLSA 201206-34 at http://security.gentoo.org/glsa/glsa-201206-34.xml
by GLSA coordinator Stefan Behte (craig).