[Secure-testing-team] Bug#553433: CVE-2009-3766: missing host name vs. SSL certificate name checks
Giuseppe Iuculano
iuculano at debian.org
Sat Oct 31 10:01:50 UTC 2009
Package: mutt
Severity: grave
Tags: security
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for mutt.
CVE-2009-3766[0]:
| mutt_ssl.c in mutt 1.5.16, when OpenSSL is used, does not verify the
| domain name in the subject's Common Name (CN) field of an X.509
| certificate, which allows man-in-the-middle attackers to spoof SSL
| servers via an arbitrary valid certificate.
Please coordinate with the security team (team at security.debian.org) to
prepare packages for the stable and oldstable releases.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3766
http://security-tracker.debian.org/tracker/CVE-2009-3766
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkrsCwsACgkQNxpp46476ap7UQCfXTB25r/gpBnXfDTBT0dI1IcK
ETYAnjJTfCnifLMUmqb90U+RO+mSqIjF
=xxZh
-----END PGP SIGNATURE-----
More information about the Secure-testing-team
mailing list