Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 23 Dec 2010 11:08:48 -0600
From: John Goerzen <>
To: oss-security <>
CC: Jan Lieskovsky <>, 
 "Steven M. Christey" <>,
 Nicolas Sebrecht <>, 
 david b <>,
 Johannes Stezenbach <>, Christoph Höger
Subject: Re: CVE Request -- OfflineIMAP -- 1), failed to validate remote SSL
 server certificate 2), allows SSLv2 protocol

On 12/23/2010 08:43 AM, Jan Lieskovsky wrote:
> Hello Steve, vendors,
> two issues with security implications have been recently reported
> against OfflineIMAP:
> I), Didn't check SSL server certificate

Please note, by the way, that I am no longer OfflineIMAP maintainer; 
Nicolas Sebrecht, who I see CC'd, is.  Since I was CC'd, I'm assuming 
someone is looking for some historical perspective.

This isn't recent.  OfflineIMAP didn't check the certificate because it 
was impossible to do so in Python until Python 2.6; Python's built-in 
SSL API (socket.ssl) simply didn't provide any way to do it. 
OfflineIMAP's SSL support *significantly* predates Python 2.6 (it has 
been in OfflineIMAP since at least 2002).  This limitation has been well 
and widely documented, both in OfflineIMAP and in Python.  For instance, 
at in the 
description of ssl:

"Warning: This does not do any certificate verification!"

So if you're going to have a list of vulnerable versions, it probably 
goes back all the way to 1.0.0.

It is up to you folks whether you want to issue a CVE for it or not.

In my *personal* opinion, it's a little silly; you might as well issue a 
CVE on telnet because it is vulnerable to sniffing and MITM attacks. 
"Well, yes it is," you might say, "and everybody knows it is, and it's 
widely known, so why issue an advisory?"  SSL support in OfflineIMAP 
provided some measure of utility to connect to servers that only 
accepted SSL connections, as well as some measure of making attacks more 
difficult.  It was all that was practical in Python at the time.  But I 
don't expect to have a voice on that now, so feel free to ignore my opinion.

That's not to say I was happy with the situation.  I wasn't.  But such 
was all that was available.

I have seen patches to address this go across the mailing list, and I'm 
sure Nicolas could discuss that better than I at this point, so with 
that I'll bow out and leave this discussion of what to do with this to 
the people that are involved with the project presently.

- John

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.