Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Mon, 6 Oct 2014 18:47:05 +0000
From: mancha <mancha1@...o.com>
To: cve-assign@...re.org
Cc: oss-security@...ts.openwall.com
Subject: Re: CVE Request(s): Getmail 4

On Mon, Oct 06, 2014 at 11:45:27AM -0400, cve-assign@...re.org wrote:
> > http://pyropus.ca/software/getmail/CHANGELOG
>
> > Getmail 4.45.0 added IMAP4-over-SSL certificate hostname validation.
> > POP3-over-SSL remained vulnerable to MITM attacks.
>
> The CHANGELOG says:
>
>   Version 4.46.0
>
>       -add missing support for SSL certificate checking in POP3 which
>       broke POP retrieval in v4.45.0.  Requires Python 2.6 or newer.
>       Thanks: "mancha".
>
> This depends on the interpretation of "broke POP retrieval."
>
> Do you mean that, in version 4.45.0, the client sent credentials over
> a POP3-over-SSL connection, and actual POP3 mail retrieval failed
> after credentials had already been sent? That behavior could have a
> CVE ID.
>
> Or do you mean that, in version 4.45.0, the POP3-over-SSL connection
> was never fully established, and the client would not have sent
> credentials? In other words, a MITM attack could succeed but there
> would be no security impact? That behavior would not have a CVE ID.

It's closer to the 2nd than the first. POP3-over-SSL stopped working
altogether and credentials were not sent over the wire:

Getmail 4.45.0:

  *Includes support for certificate hostname validation to be used 
   with IMAP4-over-SSL only. [1]

  *A regression was introduced because ssl_match_hostname() calls
   (for immediate use with IMAP4-over-SSL and future use with
   POP3-over-SSL) and related code were prematurely added to the
   POP3-over-SSL retrievers. [2]

Getmail 4.46.0:

  *Includes POP3-over-SSL support for: a) certificate verification
   against a root store; b) certificate validation against an anchor
   fingerprint; c) certificate hostname match validation. [3]

In sum, the regression in 4.45.0 has no security impact and is
orthogonal to the CVE request. Hope this clarifies (below matrix might
help further).

--mancha

[1] http://article.gmane.org/gmane.mail.getmail.user/5124
[2] http://article.gmane.org/gmane.mail.getmail.user/5150
[3] http://article.gmane.org/gmane.mail.getmail.user/5147

====

                      SSL Support Matrix

Version       IMAP4-over-SSL             POP3-over-SSL

4.0.0-4.43.0  No cert validation         No cert validation
4.44.0        Partial cert validation(a) No cert validation
4.45.0        Full cert validation       No cert validation(b)
4.46.0        Full cert validation       Full cert validation

(a) lacking certificate hostname checks
(b) still lacking cert validation infrastructure though a
    regression broke these retrievers entirely

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.