oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: perdition: ssl_outgoing_ciphers not applied to STARTTLS connections

From: Kurt Seifried <kseifried () redhat com>
Date: Thu, 14 Nov 2013 20:59:17 -0700
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/13/2013 12:21 AM, Daniel Kahn Gillmor wrote:

Perdition, the IMAP and POP proxy server, fails to apply the 
administrator's specified ciphersuite preferences when making
outbound connections to IMAP and POP servers using STARTTLS.  For
these outbound connections, it applies the administrator's
listening ciphersuite preferences, which in many cases may be
significantly weaker.

This was first noted publicly on the debian BTS:

http://bugs.debian.org/729028

All versions of perdition up to 2.0 appear to be affected, and the
fix is a one-line patch.

This is not a critical vulnerability (it can be mitigated, for
example, by enforcing a strict minimalist ciphersuite on the
backend server), but in the absence of any such mitigation, it may
cause the connections between the proxy server and the backend
server to negotiate a weaker ciphersuite than the administrator's
stated intent.

Could a CVE be issued for this issue?

Thanks,

--dkg



Please use CVE-2013-4584for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)

iQIcBAEBAgAGBQJShZwUAAoJEBYNRVNeJnmTBjwP/A2Vlei1HYf9w8wFNcOkwyLd
1ZDKp4zaRymcVlrWYvm4bDXuHh0VWe84o1bGM5YHpQ5RXNSAQ7nzwHtIKKp9vbL8
r7Zd5bUwTHLIAs2J+fA10CIDaOma7LJFeUKLPMr2IJtV+ZssKVlazVm+oniQPEkR
PoQZyWYAM/kjs4KOsabW6c1eRLcew4BCimKdnFEfg+JWyC84Jn9DWMD09RwpUexN
vkiMs3oohqkfXFSS6LnSnYN9h/Ni1otJmbjp0tyFu/+MMCk5w2XehnIUB3RuPdwW
HaVxjyXzALQWIMn4PZ9xowtmXjyj1/tsKEfYh/2jkb1ll7t+PUnE3NtxXKnzLAXb
JXa9zmyOZ4TS1j9bfL8A99BgkcdQcfQeWpx/5IgN4yiNcPpRDSKKUUpUVUuknydP
rf9hzvIh/F0kzgSIHbPZ6HwlC6AWksx8jdwQ8+Xvpks97CP3OA/2pLgdfpKSjwPX
giEWeFjkxEdinYZr9jeoz/tSz/NwVVkC/R7kc3ncRPOBuzucm8sFhwJQ4T8QWTDd
Kz09I1twWnoY4kTCdeVdKMwVmsz6YRwka3XIjQnmJEIGb0tDxFbZDozLFQxYgkic
t1ireQQPK084k9wAVjvh2ZrcHJXnjZ6MyFvgucrPgQWJXXy084xC8kNpO/6eFAFs
GDFmRUBuNGPWzDmKl2yt
=J/Xd
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: