Re: isync/mbsync security advisory: missing SSL subject verification (CVE-2013-0289)

[Vincent Danen <vdanen () redhat com>]

* [2013-02-20 09:19:04 +0100] Oswald Buddenhagen wrote:

> Christian Schneider <software [at] chschneider [dot] eu> discovered that
> isync does no SSL subject (hostname) verification.
>
> This means that any host with a valid certificate could pretend to be
> the wanted host, as long as the certificate store contained the relevant
> root certificate. This could be used for man-in-the-middle attacks, which
> could be used to steal passwords.
>
> Workaround: Specify a CertificateFile which contains only the wanted
> host's certificate, thus disabling trust chain based verification. Early
> versions of isync's SSL support tried to enforce this mode of operation.
>
> Isync releases 0.4 up to including 1.0.5 are affected. Version 1.0.6 has
> been just released to address the issue.
>
> Download: https://sourceforge.net/projects/isync/files/isync/1.0.6/
> Patch: http://isync.git.sourceforge.net/git/gitweb.cgi?p=isync/isync;a=patch;h=914ede18664980925628a9ed2a73ad05f85aeedb

Note that this was disclosed to the distros@ list previously and had
been assigned the name CVE-2013-0289 (which the referenced patch notes
as well).

--
Vincent Danen / Red Hat Security Response Team