Date: Thu, 23 Dec 2010 15:43:40 +0100 From: Jan Lieskovsky <jlieskov@...hat.com> To: "Steven M. Christey" <coley@...us.mitre.org> CC: oss-security <oss-security@...ts.openwall.com>, Nicolas Sebrecht <nicolas.s-dev@...oste.net>, david b <db.pub.mail@...il.com>, Johannes Stezenbach <js@...21.net>, Christoph Höger <choeger@...tu-berlin.de>, John Goerzen <jgoerzen@...plete.org> Subject: CVE Request -- OfflineIMAP -- 1), failed to validate remote SSL server certificate 2), allows SSLv2 protocol Hello Steve, vendors, two issues with security implications have been recently reported against OfflineIMAP: I), Didn't check SSL server certificate Description: OfflineIMAP prior commit:  https://github.com/nicolas33/offlineimap/commit/4f57b94e2333c37c5a7251fc88dfeda9bc0b226a did not perform SSL server certificate validation, even when "ssl = yes" option was specified in the configuration file. If an attacker was able to get a carefully-crafted certificate signed by a Certificate Authority trusted by OfflineIMAP, the attacker could use the certificate during a man-in-the-middle attack and potentially confuse OfflineIMAP into accepting it by mistake. References:  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=603450  https://bugzilla.redhat.com/show_bug.cgi?id=665382 II), Allows SSLv2 protocol Description: In commit:  https://github.com/nicolas33/offlineimap/commit/4f57b94e2333c37c5a7251fc88dfeda9bc0b226a when SSL server certificate validation support was added to OfflineIMAP it was still possible to use SSL v2 protocol version. Version 2 of SSL protocol version is known to be prone to multiple deficiencies, each of them having security implications (to mention some of them):  http://en.wikipedia.org/wiki/Secure_Sockets_Layer#Security Thus SSLv2 protocol version should be disabled in OfflineIMAP. References:  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=606962  https://bugzilla.redhat.com/show_bug.cgi?id=665386 Could you allocate CVE ids for these issues? (though opened for discussion of any / none of them worthy of it) Thanks && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.