Re: CVE Request(s): Getmail 4

[cve-assign () mitre org]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> http://pyropus.ca/software/getmail/CHANGELOG

> Getmail 4.45.0 added IMAP4-over-SSL certificate hostname validation.
> POP3-over-SSL remained vulnerable to MITM attacks.

The CHANGELOG says:

  Version 4.46.0

      -add missing support for SSL certificate checking in POP3 which broke
      POP retrieval in v4.45.0.  Requires Python 2.6 or newer.  Thanks: "mancha".

This depends on the interpretation of "broke POP retrieval."

Do you mean that, in version 4.45.0, the client sent credentials over
a POP3-over-SSL connection, and actual POP3 mail retrieval failed
after credentials had already been sent? That behavior could have a
CVE ID.

Or do you mean that, in version 4.45.0, the POP3-over-SSL connection
was never fully established, and the client would not have sent
credentials? In other words, a MITM attack could succeed but there
would be no security impact? That behavior would not have a CVE ID.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJUMrhZAAoJEKllVAevmvmstp0IAID4JjHJCsog98/a4SFblxRN
0pC7f/DpX/5izj2i1kBdRU1u+wgrmoikbXeyck50coamD5e+xD94/P2I+aEhO90R
9Xp3GWaLvghmdAjAXpA9KqHgrKU9F2PVHZW6j1eAalc4qCM6b6Dgi1bERLcJRPAI
oKZ4U/nb72HnS2y3U3GeVOvH6DnXaahvlGT06cSrTFQwoN6r5Azr037xygxMvDKk
ch4viXJ7S4Rm/vKntjb0XHdBO6oRP5qFDIHY73TBpcuAesmkrYmL1rFgDkWa3lXq
fyktjdFfuQlDkzZL9hQo4HHvZey2kgSQPK1ZninGO/Yj1KvAHG/1VrIJzxhbPmY=
=8/LZ
-----END PGP SIGNATURE-----