Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 6 Oct 2014 18:47:05 +0000
From: mancha <>
Subject: Re: CVE Request(s): Getmail 4

On Mon, Oct 06, 2014 at 11:45:27AM -0400, wrote:
> >
> > Getmail 4.45.0 added IMAP4-over-SSL certificate hostname validation.
> > POP3-over-SSL remained vulnerable to MITM attacks.
> The CHANGELOG says:
>   Version 4.46.0
>       -add missing support for SSL certificate checking in POP3 which
>       broke POP retrieval in v4.45.0.  Requires Python 2.6 or newer.
>       Thanks: "mancha".
> This depends on the interpretation of "broke POP retrieval."
> Do you mean that, in version 4.45.0, the client sent credentials over
> a POP3-over-SSL connection, and actual POP3 mail retrieval failed
> after credentials had already been sent? That behavior could have a
> Or do you mean that, in version 4.45.0, the POP3-over-SSL connection
> was never fully established, and the client would not have sent
> credentials? In other words, a MITM attack could succeed but there
> would be no security impact? That behavior would not have a CVE ID.

It's closer to the 2nd than the first. POP3-over-SSL stopped working
altogether and credentials were not sent over the wire:

Getmail 4.45.0:

  *Includes support for certificate hostname validation to be used 
   with IMAP4-over-SSL only. [1]

  *A regression was introduced because ssl_match_hostname() calls
   (for immediate use with IMAP4-over-SSL and future use with
   POP3-over-SSL) and related code were prematurely added to the
   POP3-over-SSL retrievers. [2]

Getmail 4.46.0:

  *Includes POP3-over-SSL support for: a) certificate verification
   against a root store; b) certificate validation against an anchor
   fingerprint; c) certificate hostname match validation. [3]

In sum, the regression in 4.45.0 has no security impact and is
orthogonal to the CVE request. Hope this clarifies (below matrix might
help further).




                      SSL Support Matrix

Version       IMAP4-over-SSL             POP3-over-SSL

4.0.0-4.43.0  No cert validation         No cert validation
4.44.0        Partial cert validation(a) No cert validation
4.45.0        Full cert validation       No cert validation(b)
4.46.0        Full cert validation       Full cert validation

(a) lacking certificate hostname checks
(b) still lacking cert validation infrastructure though a
    regression broke these retrievers entirely

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.