Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 458420 (CVE-2013-0289) - <net-mail/isync-1.0.6: missing SSL subject verification (CVE-2013-0289)
Summary: <net-mail/isync-1.0.6: missing SSL subject verification (CVE-2013-0289)
Status: RESOLVED FIXED
Alias: CVE-2013-0289
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-02-20 08:57 UTC by Agostino Sarubbo
Modified: 2013-10-05 21:17 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-02-20 08:57:41 UTC
From ${URL} :

Christian Schneider <software [at] chschneider [dot] eu> discovered that
isync does no SSL subject (hostname) verification.

This means that any host with a valid certificate could pretend to be
the wanted host, as long as the certificate store contained the relevant
root certificate. This could be used for man-in-the-middle attacks, which
could be used to steal passwords.

Workaround: Specify a CertificateFile which contains only the wanted
host's certificate, thus disabling trust chain based verification. Early
versions of isync's SSL support tried to enforce this mode of operation.

Isync releases 0.4 up to including 1.0.5 are affected. Version 1.0.6 has
been just released to address the issue.

Download: https://sourceforge.net/projects/isync/files/isync/1.0.6/
Patch: 
http://isync.git.sourceforge.net/git/gitweb.cgi?p=isync/isync;a=patch;h=914ede18664980925628a9ed2a73ad05f85aeedb
Comment 1 Eray Aslan gentoo-dev 2013-02-20 13:33:36 UTC
+*isync-1.0.6 (20 Feb 2013)
+
+  20 Feb 2013; Eray Aslan <eras@gentoo.org> +isync-1.0.6.ebuild:
+  Security bump - bug #458420
+

@security: We can stabilize =net-mail/isync-1.0.6.  Thank you.
Comment 2 Sean Amoss gentoo-dev Security 2013-02-20 22:39:19 UTC
(In reply to comment #1)
> +*isync-1.0.6 (20 Feb 2013)
> +
> +  20 Feb 2013; Eray Aslan <eras@gentoo.org> +isync-1.0.6.ebuild:
> +  Security bump - bug #458420
> +
> 
> @security: We can stabilize =net-mail/isync-1.0.6.  Thank you.

Thanks, Eray. Arches, please test and mark stable.
Comment 3 Agostino Sarubbo gentoo-dev 2013-02-21 20:53:20 UTC
x86 stable
Comment 4 Agostino Sarubbo gentoo-dev 2013-02-24 11:25:40 UTC
amd64 stable
Comment 5 Tobias Heinlein (RETIRED) gentoo-dev 2013-03-24 19:57:29 UTC
Ready for vote, I vote YES.
Comment 6 Sean Amoss gentoo-dev Security 2013-04-08 23:39:28 UTC
GLSA vote: yes.

GLSA draft ready for review.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2013-10-05 21:17:36 UTC
This issue was resolved and addressed in
 GLSA 201310-02 at http://security.gentoo.org/glsa/glsa-201310-02.xml
by GLSA coordinator Sergey Popov (pinkbyte).