Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <5076FB43.80800@redhat.com>
Date: Thu, 11 Oct 2012 11:00:51 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Vincent Danen <vdanen@...hat.com>
Subject: Re: CVE request: sSMTP doesn't validate server certificates

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/11/2012 09:43 AM, Vincent Danen wrote:
> * [2012-10-10 11:59:13 +0200] Laurent Bigonville wrote:
> 
>> Hi,
>> 
>> It seems that sSMTP is not checking the server certificate when 
>> connecting. This is quite annoying as one of the main ssmtp
>> purpose is to be used on satellite systems that could be
>> connected to untrusted networks.
>> 
>> This has been reported (with a proposed patch) to the Debian BTS
>> (see [0])
>> 
>> Could you please allocate a CVE number for this?
>> 
>> Cheers
>> 
>> Laurent Bigonville
>> 
>> [0] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=662960
> 
> I'm not sure it deserves one.
> 
> If you look at the TLS file in the source tarball, it indicates
> that checking server certificates is not implemented and is
> something to add in the future:
> 
> TODO: * Check server certificate for changes and notify about it. *
> Diffrent Certificate and Key file?
> 
> Since sSMTP clearly indicates that this feature is missing and 
> unsupported, then it was designed to _not_ do certificate
> checking. Regardless of how good or bad that is, it was a design
> choice (to leave it for a later date), and it's also clearly
> documented.
> 
> To me, that doesn't seem like a security flaw (as in sSMTP was
> designed to check certificates and didn't or didn't do a good job
> of it).

Agreed, it's documented as a missing capability, so adding this counts
as security hardening, not a security fix. No CVE assigned.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iQIcBAEBAgAGBQJQdvtAAAoJEBYNRVNeJnmThPIP/jXLMk2ZFbkW6D+itHm4BhDV
6Me9vqFq5ak0SM9SSj0I6+K2J2ne40oIUBx4HWha355OEP3knVZIwpQAsy448Akb
yTHNyYBDuOdahe+ZGvPM0T516BXMfx0B8nnirDY0TGchjShQECuYJzrrcKGm3q76
yACkNfAdUEosW9D+iik+r2mhOaNrEZRjarv5dbUqDrngJzguoJaDkHaZaVEL2oa8
6dHeS0ZzbEysQjHEhlx0hwe9Gla0gUfIq+yJZAywLWhiGwiSLIZD9RqgC4REEsIq
BEcAaPkfv5kzINJhdH2YshVoQE4+y7nHhaLBGkJR4pjo0E3AF/r12Vd3NR/PjMv8
mITWCAMMYPZgshYhHDknPhH5k+YFon1Mhf0FlZ2c7yhyT3XU9aTc3h491flMCWbt
Yi4uqsaH4PvNePwKDvxIGrjJy71GkN4WTG5eR1o9K7+dkkoY6r/Fd6lMDzhlTKDm
ebCt6fDiEf4qFBgogQKJWoKRwmBBqa5UxKYWzw9xmbNNPz3MdxcXU5t7Yc462j4N
0AoU58/3iatReYuSftZvLHRTYpe9x5C1ifh2CXUxuY6V+HkShxu3uIKMYrNh4dgl
L4aUETvYriNMjYZZws+N2+cYAUZ/FBY+7fVPfOsTb+IlamBS7daTn1pU0tOFMb2m
gl2+SBdo+XihXxYHGlxC
=bPeF
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.