|
Message-ID: <20141006090834.GD24136@zoho.com>
Date: Mon, 6 Oct 2014 09:08:34 +0000
From: mancha <mancha1@...o.com>
To: oss-security@...ts.openwall.com
Subject: CVE Request(s): Getmail 4
Hello.
Getmail 4.0.0 introduced support for secure mail retrieval
(IMAP4-over-SSL and POP3-over-SSL). However, it lacked certificate
verification which rendered SSL/TLS transport entirely vulnerable to
MITM attacks. [*]
Getmail 4.44.0 added IMAP4-over-SSL certificate verification against
trusted root stores and/or SHA-256 digests. However, it lacked
certificate hostname validation such that adversaries in possesion of
arbitrary certificates signed by trusted root certificates could still
level MITM attacks. POP3-over-SSL remained vulnerable to MITM attacks.
[*]
Getmail 4.45.0 added IMAP4-over-SSL certificate hostname validation.
POP3-over-SSL remained vulnerable to MITM attacks. [*]
Getmail 4.46.0 added POP3-over-SSL certificate verification against
trusted root stores and/or SHA-256 digests as well as certificate
hostname validation. [*]
Please allocate CVE ID(s) for the above issues, as needed.
Thanks.
--mancha
[*] http://pyropus.ca/software/getmail/CHANGELOG
Content of type "application/pgp-signature" skipped
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.