Re: Re: CVE Request -- OfflineIMAP -- 1), failed to validate remote SSL server certificate 2), allows SSLv2 protocol

[Josh Bressers <bressers () redhat com>]

----- Original Message -----
> On Thu, Dec 23, 2010 at 03:43:40PM +0100, Jan Lieskovsky wrote:
> >   I), Didn't check SSL server certificate
> >
> >   Description:
> >   OfflineIMAP prior commit:
> >   [1]
> >   https://github.com/nicolas33/offlineimap/commit/4f57b94e2333c37c5a7251fc88dfeda9bc0b226a
> >
> >   did not perform SSL server certificate validation,
> >   even when "ssl = yes" option was specified in the
> >   configuration file. If an attacker was able to get
> >   a carefully-crafted certificate signed by a
> >   Certificate Authority trusted by OfflineIMAP,
> >   the attacker could use the certificate during a
> >   man-in-the-middle attack and potentially confuse
> >   OfflineIMAP into accepting it by mistake.
> >
> >   References:
> >   [2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=603450
> >   [3] https://bugzilla.redhat.com/show_bug.cgi?id=665382
>
> First of all, thank you very much Jan and all the Redhat team for
> reporting it up to the CVE database.
>
> The given patch from Sebastian Spaeth has been released in v6.3.2-rc1.
> I
> encourage distribution maintainers who want this fix to either
>
> deploy the RC release as is
>
> or
>
> backport the fix against the last release they own.
>
> I expect to release a new stable soon but I still didn't have feedback
> from users using SSL. The lack of feedback could mean that
>
> OfflineIMAP users don't expect SSL to work by still refering to the
> documentation they know (stating that SSL checks is not supported)
>
> or
>
> they don't hit problems at all.
>
> So, I'll wait a bit more before releasing the next stable.
>
> >   II), Allows SSLv2 protocol
> >
> >   Description:
> >   In commit:
> >   [4]
> >   https://github.com/nicolas33/offlineimap/commit/4f57b94e2333c37c5a7251fc88dfeda9bc0b226a
> >
> >   when SSL server certificate validation support was added
> >   to OfflineIMAP it was still possible to use SSL v2 protocol
> >   version. Version 2 of SSL protocol version is known
> >   to be prone to multiple deficiencies, each of them
> >   having security implications (to mention some of them):
> >   [5] http://en.wikipedia.org/wiki/Secure_Sockets_Layer#Security
> >
> >   Thus SSLv2 protocol version should be disabled in OfflineIMAP.
> >
> >   References:
> >   [6] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=606962
> >   [7] https://bugzilla.redhat.com/show_bug.cgi?id=665386
>
> True.
>
> > Could you allocate CVE ids for these issues? (though opened for
> > discussion of any / none of them worthy of it)
>
> As the maintainer of OfflineIMAP, I think both issues should have
> their
> entry in the CVE List.

As upstream has requested two, here you go:

CVE-2010-4532 offlineimap doesn't check SSL server certificate
CVE-2010-4533 offlineimap allows sslv2

Thanks.

-- 
    JB