oss-sec mailing list archives
Re: CVE Request(s): Getmail 4
From: mancha <mancha1 () zoho com>
Date: Mon, 6 Oct 2014 18:47:05 +0000
On Mon, Oct 06, 2014 at 11:45:27AM -0400, cve-assign () mitre org wrote:
http://pyropus.ca/software/getmail/CHANGELOGGetmail 4.45.0 added IMAP4-over-SSL certificate hostname validation. POP3-over-SSL remained vulnerable to MITM attacks.The CHANGELOG says: Version 4.46.0 -add missing support for SSL certificate checking in POP3 which broke POP retrieval in v4.45.0. Requires Python 2.6 or newer. Thanks: "mancha". This depends on the interpretation of "broke POP retrieval." Do you mean that, in version 4.45.0, the client sent credentials over a POP3-over-SSL connection, and actual POP3 mail retrieval failed after credentials had already been sent? That behavior could have a CVE ID. Or do you mean that, in version 4.45.0, the POP3-over-SSL connection was never fully established, and the client would not have sent credentials? In other words, a MITM attack could succeed but there would be no security impact? That behavior would not have a CVE ID.
It's closer to the 2nd than the first. POP3-over-SSL stopped working altogether and credentials were not sent over the wire: Getmail 4.45.0: *Includes support for certificate hostname validation to be used with IMAP4-over-SSL only. [1] *A regression was introduced because ssl_match_hostname() calls (for immediate use with IMAP4-over-SSL and future use with POP3-over-SSL) and related code were prematurely added to the POP3-over-SSL retrievers. [2] Getmail 4.46.0: *Includes POP3-over-SSL support for: a) certificate verification against a root store; b) certificate validation against an anchor fingerprint; c) certificate hostname match validation. [3] In sum, the regression in 4.45.0 has no security impact and is orthogonal to the CVE request. Hope this clarifies (below matrix might help further). --mancha [1] http://article.gmane.org/gmane.mail.getmail.user/5124 [2] http://article.gmane.org/gmane.mail.getmail.user/5150 [3] http://article.gmane.org/gmane.mail.getmail.user/5147 ==== SSL Support Matrix Version IMAP4-over-SSL POP3-over-SSL 4.0.0-4.43.0 No cert validation No cert validation 4.44.0 Partial cert validation(a) No cert validation 4.45.0 Full cert validation No cert validation(b) 4.46.0 Full cert validation Full cert validation (a) lacking certificate hostname checks (b) still lacking cert validation infrastructure though a regression broke these retrievers entirely
Attachment:
_bin
Description:
Current thread:
- CVE Request(s): Getmail 4 mancha (Oct 06)
- Re: CVE Request(s): Getmail 4 cve-assign (Oct 06)
- Re: CVE Request(s): Getmail 4 mancha (Oct 06)
- Re: CVE Request(s): Getmail 4 cve-assign (Oct 07)
- Re: CVE Request(s): Getmail 4 cve-assign (Oct 06)