Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20141006090834.GD24136@zoho.com>
Date: Mon, 6 Oct 2014 09:08:34 +0000
From: mancha <mancha1@...o.com>
To: oss-security@...ts.openwall.com
Subject: CVE Request(s): Getmail 4

Hello.

Getmail 4.0.0 introduced support for secure mail retrieval
(IMAP4-over-SSL and POP3-over-SSL). However, it lacked certificate
verification which rendered SSL/TLS transport entirely vulnerable to
MITM attacks. [*]

Getmail 4.44.0 added IMAP4-over-SSL certificate verification against
trusted root stores and/or SHA-256 digests. However, it lacked
certificate hostname validation such that adversaries in possesion of
arbitrary certificates signed by trusted root certificates could still
level MITM attacks. POP3-over-SSL remained vulnerable to MITM attacks.
[*]

Getmail 4.45.0 added IMAP4-over-SSL certificate hostname validation.
POP3-over-SSL remained vulnerable to MITM attacks. [*]

Getmail 4.46.0 added POP3-over-SSL certificate verification against
trusted root stores and/or SHA-256 digests as well as certificate
hostname validation. [*]

Please allocate CVE ID(s) for the above issues, as needed.

Thanks.

--mancha

[*] http://pyropus.ca/software/getmail/CHANGELOG

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.