From ${URL} : Various security-related flaws were fixed in getmail versions 4.44, 4.45, and 4.46 [1]. The version of getmail in epel-6 is: getmail-4.40.1-1.el6. CVEs for these issues were requested at [2]. Fedora and EPEL-7 ship getmail-4.46 and are thus not affected. [1] http://pyropus.ca/software/getmail/CHANGELOG [2] http://seclists.org/oss-sec/2014/q4/134 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
4.46 has been in the tree for a long time, feel free to stabilize it.
Arches, please test and mark stable: =net-mail/getmail-4.46.0 Target keywords : "amd64 ppc x86"
amd64 stable
ppc stable
x86 stable. Maintainer(s), please cleanup. Security, please vote.
CVE-2014-7275 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7275): The POP3-over-SSL implementation in getmail 4.0.0 through 4.44.0 does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof POP3 servers and obtain sensitive information via a crafted certificate. CVE-2014-7274 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7274): The IMAP-over-SSL implementation in getmail 4.44.0 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) field of the X.509 certificate, which allows man-in-the-middle attackers to spoof IMAP servers and obtain sensitive information via a crafted certificate from a recognized Certification Authority. CVE-2014-7273 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7273): The IMAP-over-SSL implementation in getmail 4.0.0 through 4.43.0 does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof IMAP servers and obtain sensitive information via a crafted certificate.
Arches, Thank you for your work Maintainer(s), please drop the vulnerable version. GLSA Vote: Yes
GLSA vote: yes glsa filed.
Maintainer(s), Thank you for cleanup!
This issue was resolved and addressed in GLSA 201412-50 at http://security.gentoo.org/glsa/glsa-201412-50.xml by GLSA coordinator Mikle Kolyada (Zlogene).
