oss-sec mailing list archives
Re: Re: CVE Request -- OfflineIMAP -- 1), failed to validate remote SSL server certificate 2), allows SSLv2 protocol
From: Josh Bressers <bressers () redhat com>
Date: Mon, 3 Jan 2011 13:51:11 -0500 (EST)
----- Original Message -----
On Thu, Dec 23, 2010 at 03:43:40PM +0100, Jan Lieskovsky wrote:I), Didn't check SSL server certificate Description: OfflineIMAP prior commit: [1] https://github.com/nicolas33/offlineimap/commit/4f57b94e2333c37c5a7251fc88dfeda9bc0b226a did not perform SSL server certificate validation, even when "ssl = yes" option was specified in the configuration file. If an attacker was able to get a carefully-crafted certificate signed by a Certificate Authority trusted by OfflineIMAP, the attacker could use the certificate during a man-in-the-middle attack and potentially confuse OfflineIMAP into accepting it by mistake. References: [2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=603450 [3] https://bugzilla.redhat.com/show_bug.cgi?id=665382First of all, thank you very much Jan and all the Redhat team for reporting it up to the CVE database. The given patch from Sebastian Spaeth has been released in v6.3.2-rc1. I encourage distribution maintainers who want this fix to either deploy the RC release as is or backport the fix against the last release they own. I expect to release a new stable soon but I still didn't have feedback from users using SSL. The lack of feedback could mean that OfflineIMAP users don't expect SSL to work by still refering to the documentation they know (stating that SSL checks is not supported) or they don't hit problems at all. So, I'll wait a bit more before releasing the next stable.II), Allows SSLv2 protocol Description: In commit: [4] https://github.com/nicolas33/offlineimap/commit/4f57b94e2333c37c5a7251fc88dfeda9bc0b226a when SSL server certificate validation support was added to OfflineIMAP it was still possible to use SSL v2 protocol version. Version 2 of SSL protocol version is known to be prone to multiple deficiencies, each of them having security implications (to mention some of them): [5] http://en.wikipedia.org/wiki/Secure_Sockets_Layer#Security Thus SSLv2 protocol version should be disabled in OfflineIMAP. References: [6] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=606962 [7] https://bugzilla.redhat.com/show_bug.cgi?id=665386True.Could you allocate CVE ids for these issues? (though opened for discussion of any / none of them worthy of it)As the maintainer of OfflineIMAP, I think both issues should have their entry in the CVE List.
As upstream has requested two, here you go: CVE-2010-4532 offlineimap doesn't check SSL server certificate CVE-2010-4533 offlineimap allows sslv2 Thanks. -- JB
Current thread:
- Re: Re: CVE Request -- OfflineIMAP -- 1), failed to validate remote SSL server certificate 2), allows SSLv2 protocol Josh Bressers (Jan 03)