isync/mbsync security advisory: missing SSL subject verification (CVE-2013-0289)

[Oswald Buddenhagen <ossi () kde org>]

Christian Schneider <software [at] chschneider [dot] eu> discovered that
isync does no SSL subject (hostname) verification.

This means that any host with a valid certificate could pretend to be
the wanted host, as long as the certificate store contained the relevant
root certificate. This could be used for man-in-the-middle attacks, which
could be used to steal passwords.

Workaround: Specify a CertificateFile which contains only the wanted
host's certificate, thus disabling trust chain based verification. Early
versions of isync's SSL support tried to enforce this mode of operation.

Isync releases 0.4 up to including 1.0.5 are affected. Version 1.0.6 has
been just released to address the issue.

Download: https://sourceforge.net/projects/isync/files/isync/1.0.6/
Patch: http://isync.git.sourceforge.net/git/gitweb.cgi?p=isync/isync;a=patch;h=914ede18664980925628a9ed2a73ad05f85aeedb