oss-sec mailing list archives
isync/mbsync security advisory: missing SSL subject verification (CVE-2013-0289)
From: Oswald Buddenhagen <ossi () kde org>
Date: Wed, 20 Feb 2013 09:19:04 +0100
Christian Schneider <software [at] chschneider [dot] eu> discovered that isync does no SSL subject (hostname) verification. This means that any host with a valid certificate could pretend to be the wanted host, as long as the certificate store contained the relevant root certificate. This could be used for man-in-the-middle attacks, which could be used to steal passwords. Workaround: Specify a CertificateFile which contains only the wanted host's certificate, thus disabling trust chain based verification. Early versions of isync's SSL support tried to enforce this mode of operation. Isync releases 0.4 up to including 1.0.5 are affected. Version 1.0.6 has been just released to address the issue. Download: https://sourceforge.net/projects/isync/files/isync/1.0.6/ Patch: http://isync.git.sourceforge.net/git/gitweb.cgi?p=isync/isync;a=patch;h=914ede18664980925628a9ed2a73ad05f85aeedb
Current thread:
- isync/mbsync security advisory: missing SSL subject verification (CVE-2013-0289) Oswald Buddenhagen (Feb 20)
- Re: isync/mbsync security advisory: missing SSL subject verification (CVE-2013-0289) Vincent Danen (Feb 20)