Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 3 Jan 2011 13:51:11 -0500 (EST)
From: Josh Bressers <bressers@...hat.com>
To: oss-security@...ts.openwall.com
Cc: "Steven M. Christey" <coley@...us.mitre.org>,
        Nicolas Sebrecht <nicolas.s-dev@...oste.net>,
        david b <db.pub.mail@...il.com>, Johannes Stezenbach <js@...21.net>,
        Christoph Höger <choeger@...tu-berlin.de>,
        John Goerzen <jgoerzen@...plete.org>,
        Jan Lieskovsky <jlieskov@...hat.com>
Subject: Re: Re: CVE Request -- OfflineIMAP -- 1), failed to
 validate remote SSL server certificate 2), allows SSLv2 protocol



----- Original Message -----
> On Thu, Dec 23, 2010 at 03:43:40PM +0100, Jan Lieskovsky wrote:
> >
> >   I), Didn't check SSL server certificate
> >
> >   Description:
> >   OfflineIMAP prior commit:
> >   [1]
> >   https://github.com/nicolas33/offlineimap/commit/4f57b94e2333c37c5a7251fc88dfeda9bc0b226a
> >
> >   did not perform SSL server certificate validation,
> >   even when "ssl = yes" option was specified in the
> >   configuration file. If an attacker was able to get
> >   a carefully-crafted certificate signed by a
> >   Certificate Authority trusted by OfflineIMAP,
> >   the attacker could use the certificate during a
> >   man-in-the-middle attack and potentially confuse
> >   OfflineIMAP into accepting it by mistake.
> >
> >   References:
> >   [2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=603450
> >   [3] https://bugzilla.redhat.com/show_bug.cgi?id=665382
> >
> 
> First of all, thank you very much Jan and all the Redhat team for
> reporting it up to the CVE database.
> 
> The given patch from Sebastian Spaeth has been released in v6.3.2-rc1.
> I
> encourage distribution maintainers who want this fix to either
> 
> deploy the RC release as is
> 
> or
> 
> backport the fix against the last release they own.
> 
> I expect to release a new stable soon but I still didn't have feedback
> from users using SSL. The lack of feedback could mean that
> 
> OfflineIMAP users don't expect SSL to work by still refering to the
> documentation they know (stating that SSL checks is not supported)
> 
> or
> 
> they don't hit problems at all.
> 
> So, I'll wait a bit more before releasing the next stable.
> 
> >   II), Allows SSLv2 protocol
> >
> >   Description:
> >   In commit:
> >   [4]
> >   https://github.com/nicolas33/offlineimap/commit/4f57b94e2333c37c5a7251fc88dfeda9bc0b226a
> >
> >   when SSL server certificate validation support was added
> >   to OfflineIMAP it was still possible to use SSL v2 protocol
> >   version. Version 2 of SSL protocol version is known
> >   to be prone to multiple deficiencies, each of them
> >   having security implications (to mention some of them):
> >   [5] http://en.wikipedia.org/wiki/Secure_Sockets_Layer#Security
> >
> >   Thus SSLv2 protocol version should be disabled in OfflineIMAP.
> >
> >   References:
> >   [6] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=606962
> >   [7] https://bugzilla.redhat.com/show_bug.cgi?id=665386
> 
> True.
> 
> > Could you allocate CVE ids for these issues? (though opened for
> > discussion of any / none of them worthy of it)
> 
> As the maintainer of OfflineIMAP, I think both issues should have
> their
> entry in the CVE List.
> 

As upstream has requested two, here you go:

CVE-2010-4532 offlineimap doesn't check SSL server certificate
CVE-2010-4533 offlineimap allows sslv2

Thanks.

-- 
    JB

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.