[Secure-testing-team] Bug#766670: getmail4: unpatched security issues (MITM) in stable
Henrique de Moraes Holschuh
hmh at debian.org
Fri Oct 24 18:02:52 UTC 2014
Package: getmail4
Version: 4.2.0-1
Severity: grave
Tags: security
Justification: user security hole
Getmail before 4.46.0 is vulnerable to MITM attacks:
The IMAP-over-SSL implementation in getmail 4.0.0 through 4.43.0 does not
verify X.509 certificates from SSL servers, which allows man-in-the-middle
attackers to spoof IMAP servers and obtain sensitive information via a
crafted certificate. (CVE-2014-7273)
The IMAP-over-SSL implementation in getmail 4.44.0 does not verify that the
server hostname matches a domain name in the subject's Common Name (CN)
field of the X.509 certificate, which allows man-in-the-middle attackers to
spoof IMAP servers and obtain sensitive information via a crafted
certificate from a recognized Certification Authority. (CVE-2014-7274)
The POP3-over-SSL implementation in getmail 4.0.0 through 4.44.0 does not
verify X.509 certificates from SSL servers, which allows man-in-the-middle
attackers to spoof POP3 servers and obtain sensitive information via a
crafted certificate. (CVE-2014-7275)
These issues have been fixed in Debian sid and Debian jessie since the end
of April/2014, with the getmail4 4.46.0-1 upload.
--
"One disk to rule them all, One disk to find them. One disk to bring
them all and in the darkness grind them. In the Land of Redmond
where the shadows lie." -- The Silicon Valley Tarot
Henrique Holschuh
More information about the Secure-testing-team
mailing list