Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20101223192602.GA4105@sig21.net>
Date: Thu, 23 Dec 2010 20:26:03 +0100
From: Johannes Stezenbach <js@...21.net>
To: Nicolas Sebrecht <nicolas.s-dev@...oste.net>
Cc: Jan Lieskovsky <jlieskov@...hat.com>,
	"Steven M. Christey" <coley@...us.mitre.org>,
	oss-security <oss-security@...ts.openwall.com>,
	david b <db.pub.mail@...il.com>,
	Christoph Höger <choeger@...tu-berlin.de>,
	John Goerzen <jgoerzen@...plete.org>
Subject: Re: CVE Request -- OfflineIMAP -- 1), failed to validate remote
 SSL server certificate 2), allows SSLv2 protocol

On Thu, Dec 23, 2010 at 07:55:50PM +0100, Nicolas Sebrecht wrote:
> On Thu, Dec 23, 2010 at 03:43:40PM +0100, Jan Lieskovsky wrote:
> > 
> >   II), Allows SSLv2 protocol
...
> >   [6] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=606962

Please note that I reported this issue for the python2.6
package and not for the offlineimap package.  While I
noticed it with offlineimap, I think the bug is either
in Python or in openssl.  According to Python documentation
it should default to use SSLv3.

OTOH it wouldn't hurt if offlineimap would allow the user
to specify the protocol version (TLSv1, SSLv3, SSLv2).


Thanks
Johannes

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.