Re: CVE request: sSMTP doesn't validate server certificates

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/11/2012 09:43 AM, Vincent Danen wrote:
> * [2012-10-10 11:59:13 +0200] Laurent Bigonville wrote:
>
> > Hi,
> >
> > It seems that sSMTP is not checking the server certificate when 
> > connecting. This is quite annoying as one of the main ssmtp
> > purpose is to be used on satellite systems that could be
> > connected to untrusted networks.
> >
> > This has been reported (with a proposed patch) to the Debian BTS
> > (see [0])
> >
> > Could you please allocate a CVE number for this?
> >
> > Cheers
> >
> > Laurent Bigonville
> >
> > [0] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=662960
>
> I'm not sure it deserves one.
>
> If you look at the TLS file in the source tarball, it indicates
> that checking server certificates is not implemented and is
> something to add in the future:
>
> TODO: * Check server certificate for changes and notify about it. *
> Diffrent Certificate and Key file?
>
> Since sSMTP clearly indicates that this feature is missing and 
> unsupported, then it was designed to _not_ do certificate
> checking. Regardless of how good or bad that is, it was a design
> choice (to leave it for a later date), and it's also clearly
> documented.
>
> To me, that doesn't seem like a security flaw (as in sSMTP was
> designed to check certificates and didn't or didn't do a good job
> of it).

Agreed, it's documented as a missing capability, so adding this counts
as security hardening, not a security fix. No CVE assigned.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iQIcBAEBAgAGBQJQdvtAAAoJEBYNRVNeJnmThPIP/jXLMk2ZFbkW6D+itHm4BhDV
6Me9vqFq5ak0SM9SSj0I6+K2J2ne40oIUBx4HWha355OEP3knVZIwpQAsy448Akb
yTHNyYBDuOdahe+ZGvPM0T516BXMfx0B8nnirDY0TGchjShQECuYJzrrcKGm3q76
yACkNfAdUEosW9D+iik+r2mhOaNrEZRjarv5dbUqDrngJzguoJaDkHaZaVEL2oa8
6dHeS0ZzbEysQjHEhlx0hwe9Gla0gUfIq+yJZAywLWhiGwiSLIZD9RqgC4REEsIq
BEcAaPkfv5kzINJhdH2YshVoQE4+y7nHhaLBGkJR4pjo0E3AF/r12Vd3NR/PjMv8
mITWCAMMYPZgshYhHDknPhH5k+YFon1Mhf0FlZ2c7yhyT3XU9aTc3h491flMCWbt
Yi4uqsaH4PvNePwKDvxIGrjJy71GkN4WTG5eR1o9K7+dkkoY6r/Fd6lMDzhlTKDm
ebCt6fDiEf4qFBgogQKJWoKRwmBBqa5UxKYWzw9xmbNNPz3MdxcXU5t7Yc462j4N
0AoU58/3iatReYuSftZvLHRTYpe9x5C1ifh2CXUxuY6V+HkShxu3uIKMYrNh4dgl
L4aUETvYriNMjYZZws+N2+cYAUZ/FBY+7fVPfOsTb+IlamBS7daTn1pU0tOFMb2m
gl2+SBdo+XihXxYHGlxC
=bPeF
-----END PGP SIGNATURE-----