390887 – (CVE-2011-4318) <net-mail/dovecot-2.0.16: Possible Man-in-the-Middle Attacks (CVE-2011-4318)

Bug 390887 (CVE-2011-4318) - <net-mail/dovecot-2.0.16: Possible Man-in-the-Middle Attacks (CVE-2011-4318)

Summary: <net-mail/dovecot-2.0.16: Possible Man-in-the-Middle Attacks (CVE-2011-4318)

Status:	RESOLVED FIXED

Alias:	CVE-2011-4318

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	http://www.dovecot.org/list/dovecot-n...
Whiteboard:	B4 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2011-11-17 23:32 UTC by Tim Sammut (RETIRED)
Modified:	2012-03-06 21:33 UTC (History)
CC List:	3 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Tim Sammut (RETIRED) gentoo-dev

2011-11-17 23:32:04 UTC

From the third-party advisory at https://secunia.com/advisories/46886/:

A security issue has been reported in Dovecot, which can be exploited by malicious people to conduct spoofing attacks.

The security issue is caused due the application not properly checking if the "Common Name" field provided inside SSL server certificates matches the requested hostname of a server. This can be exploited to e.g. conduct Man-in-the-Middle (MitM) attacks.

Successful exploitation requires that the application is configured to check for certificates.

The security issue is reported in versions prior to 2.0.16.

@Eray or @net-mail, 2.0.16 is already in the tree. Ok to stabilize it? Thanks.

Comment 1 Eray Aslan gentoo-dev

2011-11-18 03:53:06 UTC

@security:  Please stabilize =net-mail/dovecot-2.0.16. Thank you.

Comment 2 Tim Sammut (RETIRED) gentoo-dev

2011-11-18 05:19:40 UTC

Cool, thanks.

Arches, please test and mark stable:
=net-mail/dovecot-2.0.16
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"

Comment 3 Jeroen Roovers (RETIRED) gentoo-dev

2011-11-18 05:23:23 UTC

Stable for HPPA.

Comment 4 Agostino Sarubbo gentoo-dev

2011-11-18 11:45:03 UTC

amd64 ok

Comment 5 Paweł Hajdan, Jr. (RETIRED) gentoo-dev

2011-11-22 16:16:12 UTC

x86 stable

Comment 6 Markus Meier gentoo-dev

2011-11-23 05:57:25 UTC

arm stable

Comment 7 Michael Harrison 2011-11-24 03:31:30 UTC

Second ago; amd64 ok

Comment 8 Markos Chandras (RETIRED) gentoo-dev

2011-11-25 23:57:40 UTC

amd64 done. Thanks Agostino and Michael

Comment 9 Raúl Porcel (RETIRED) gentoo-dev

2011-11-26 12:57:31 UTC

alpha/ia64/sparc stable

Comment 10 Mark Loeser (RETIRED) gentoo-dev

2011-12-18 21:56:35 UTC

ppc/ppc64 done

Comment 11 Tim Sammut (RETIRED) gentoo-dev

2011-12-18 22:01:55 UTC

Thanks, folks. GLSA Vote: yes.

Comment 12 toto 2012-02-14 17:31:02 UTC

2.0.16 broken server with vpopmail
from changelog 2.0.17 "vpopmail support was broken in v2.0.16"

Comment 13 Stefan Behte (RETIRED) gentoo-dev

2012-03-06 01:13:03 UTC

Vote: No.

Comment 14 Sean Amoss (RETIRED) gentoo-dev

2012-03-06 21:33:07 UTC

Vote: no.

Closing noglsa.