oss-sec mailing list archives
CVE Request(s): Getmail 4
From: mancha <mancha1 () zoho com>
Date: Mon, 6 Oct 2014 09:08:34 +0000
Hello. Getmail 4.0.0 introduced support for secure mail retrieval (IMAP4-over-SSL and POP3-over-SSL). However, it lacked certificate verification which rendered SSL/TLS transport entirely vulnerable to MITM attacks. [*] Getmail 4.44.0 added IMAP4-over-SSL certificate verification against trusted root stores and/or SHA-256 digests. However, it lacked certificate hostname validation such that adversaries in possesion of arbitrary certificates signed by trusted root certificates could still level MITM attacks. POP3-over-SSL remained vulnerable to MITM attacks. [*] Getmail 4.45.0 added IMAP4-over-SSL certificate hostname validation. POP3-over-SSL remained vulnerable to MITM attacks. [*] Getmail 4.46.0 added POP3-over-SSL certificate verification against trusted root stores and/or SHA-256 digests as well as certificate hostname validation. [*] Please allocate CVE ID(s) for the above issues, as needed. Thanks. --mancha [*] http://pyropus.ca/software/getmail/CHANGELOG
Attachment:
_bin
Description:
Current thread:
- CVE Request(s): Getmail 4 mancha (Oct 06)
- Re: CVE Request(s): Getmail 4 cve-assign (Oct 06)
- Re: CVE Request(s): Getmail 4 mancha (Oct 06)
- Re: CVE Request(s): Getmail 4 cve-assign (Oct 07)
- Re: CVE Request(s): Getmail 4 cve-assign (Oct 06)