oss-sec mailing list archives
Re: CVE Request(s): Getmail 4
From: cve-assign () mitre org
Date: Mon, 6 Oct 2014 11:45:27 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
http://pyropus.ca/software/getmail/CHANGELOG
Getmail 4.45.0 added IMAP4-over-SSL certificate hostname validation. POP3-over-SSL remained vulnerable to MITM attacks.
The CHANGELOG says: Version 4.46.0 -add missing support for SSL certificate checking in POP3 which broke POP retrieval in v4.45.0. Requires Python 2.6 or newer. Thanks: "mancha". This depends on the interpretation of "broke POP retrieval." Do you mean that, in version 4.45.0, the client sent credentials over a POP3-over-SSL connection, and actual POP3 mail retrieval failed after credentials had already been sent? That behavior could have a CVE ID. Or do you mean that, in version 4.45.0, the POP3-over-SSL connection was never fully established, and the client would not have sent credentials? In other words, a MITM attack could succeed but there would be no security impact? That behavior would not have a CVE ID. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJUMrhZAAoJEKllVAevmvmstp0IAID4JjHJCsog98/a4SFblxRN 0pC7f/DpX/5izj2i1kBdRU1u+wgrmoikbXeyck50coamD5e+xD94/P2I+aEhO90R 9Xp3GWaLvghmdAjAXpA9KqHgrKU9F2PVHZW6j1eAalc4qCM6b6Dgi1bERLcJRPAI oKZ4U/nb72HnS2y3U3GeVOvH6DnXaahvlGT06cSrTFQwoN6r5Azr037xygxMvDKk ch4viXJ7S4Rm/vKntjb0XHdBO6oRP5qFDIHY73TBpcuAesmkrYmL1rFgDkWa3lXq fyktjdFfuQlDkzZL9hQo4HHvZey2kgSQPK1ZninGO/Yj1KvAHG/1VrIJzxhbPmY= =8/LZ -----END PGP SIGNATURE-----
Current thread:
- CVE Request(s): Getmail 4 mancha (Oct 06)
- Re: CVE Request(s): Getmail 4 cve-assign (Oct 06)
- Re: CVE Request(s): Getmail 4 mancha (Oct 06)
- Re: CVE Request(s): Getmail 4 cve-assign (Oct 07)
- Re: CVE Request(s): Getmail 4 cve-assign (Oct 06)