Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 23 Dec 2010 19:55:50 +0100
From: Nicolas Sebrecht <nicolas.s-dev@...oste.net>
To: Jan Lieskovsky <jlieskov@...hat.com>
Cc: "Steven M. Christey" <coley@...us.mitre.org>,
	oss-security <oss-security@...ts.openwall.com>,
	Nicolas Sebrecht <nicolas.s-dev@...oste.net>,
	david b <db.pub.mail@...il.com>, Johannes Stezenbach <js@...21.net>,
	Christoph Höger <choeger@...tu-berlin.de>,
	John Goerzen <jgoerzen@...plete.org>
Subject: Re: CVE Request -- OfflineIMAP -- 1), failed to validate remote
 SSL server certificate 2), allows SSLv2 protocol

On Thu, Dec 23, 2010 at 03:43:40PM +0100, Jan Lieskovsky wrote:
> 
>   I), Didn't check SSL server certificate
> 
>   Description:
>   OfflineIMAP prior commit:
>   [1] https://github.com/nicolas33/offlineimap/commit/4f57b94e2333c37c5a7251fc88dfeda9bc0b226a
> 
>   did not perform SSL server certificate validation,
>   even when "ssl = yes" option was specified in the
>   configuration file. If an attacker was able to get
>   a carefully-crafted certificate signed by a
>   Certificate Authority trusted by OfflineIMAP,
>   the attacker could use the certificate during a
>   man-in-the-middle attack and potentially confuse
>   OfflineIMAP into accepting it by mistake.
>
>   References:
>   [2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=603450
>   [3] https://bugzilla.redhat.com/show_bug.cgi?id=665382
> 

First of all, thank you very much Jan and all the Redhat team for
reporting it up to the CVE database.

The given patch from Sebastian Spaeth has been released in v6.3.2-rc1. I
encourage distribution maintainers who want this fix to either

  deploy the RC release as is

or 

  backport the fix against the last release they own.

I expect to release a new stable soon but I still didn't have feedback
from users using SSL. The lack of feedback could mean that

  OfflineIMAP users don't expect SSL to work by still refering to the
  documentation they know (stating that SSL checks is not supported)

or 

  they don't hit problems at all.

So, I'll wait a bit more before releasing the next stable.

>   II), Allows SSLv2 protocol
> 
>   Description:
>   In commit:
>   [4] https://github.com/nicolas33/offlineimap/commit/4f57b94e2333c37c5a7251fc88dfeda9bc0b226a
> 
>   when SSL server certificate validation support was added
>   to OfflineIMAP it was still possible to use SSL v2 protocol
>   version. Version 2 of SSL protocol version is known
>   to be prone to multiple deficiencies, each of them
>   having security implications (to mention some of them):
>   [5] http://en.wikipedia.org/wiki/Secure_Sockets_Layer#Security
> 
>   Thus SSLv2 protocol version should be disabled in OfflineIMAP.
> 
>   References:
>   [6] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=606962
>   [7] https://bugzilla.redhat.com/show_bug.cgi?id=665386

True.

> Could you allocate CVE ids for these issues? (though opened for
> discussion of any / none of them worthy of it)

As the maintainer of OfflineIMAP, I think both issues should have their
entry in the CVE List.

Let us know if you want more clarifications.

Regards,

-- 
Nicolas Sebrecht

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.