Date: Sun, 22 Jun 2014 21:47:50 +0100 From: Richard Moore <rich@....org> To: Nick Boyce <nick.boyce@...il.com>, David Faure <faure@....org> Cc: oss-security@...ts.openwall.com Subject: Re: KMail/KIO POP3 SSL MITM Flaw I believe it was introduced in kdelibs 4.10.95, but David will know for sure. Cheers Rich. On 22 June 2014 18:54, Nick Boyce <nick.boyce@...il.com> wrote: > On 18 June 2014 21:07, Richard Moore <rich@....org> wrote: > > > Title: KMail/KIO POP3 SSL MITM Flaw > > CVE: CVE-2014-3494 > > Versions: kdelibs 4.10.95 to 4.13.2 > [...] > > The POP3 kioslave used by kmail will accept invalid > > certificates without presenting a dialog to the user due > > a bug that leads to an inability to display the dialog > > combined with an error in the way the result is checked. > [...] > > This flaw allows an active attacker to perform MITM > > attacks against the ioslave which could result in the > > leakage of sensitive data such as the authentication > > details and the contents of emails. > > Is there anything you can add as to how long this bug has been in the > codebase ? In particular, is the Kmail in Debian 'oldstable' systems > affected (squeeze/kdelibs 4.4.5), or that in Debian 'stable' systems > (wheezy/kdelibs 4.8.4) ? > > I'm not sure whether to interpret the 'Versions' line in the advisory > as "bug was introduced at kdelibs 4.10.95" - and there is no further > information on the CVE at Mitre , or in the Debian bug ; there > appears to be no relevant bug at bugs.kde.org (a search for the CVE, > or any of the keywords "kdelibs pop3 ssl kioslave" returns nothing > relevant). > > There is an IBM ISS report  which implies the bug affects at least > kdelibs 4.6.x .... > >  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3494 >  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=752052 >  http://xforce.iss.net/xforce/xfdb/93875 > > Thanks, > > Nick >
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ