Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 20 Feb 2013 09:39:37 -0700
From: Vincent Danen <>
Subject: Re: isync/mbsync security advisory: missing SSL
 subject verification (CVE-2013-0289)

* [2013-02-20 09:19:04 +0100] Oswald Buddenhagen wrote:

>Christian Schneider <software [at] chschneider [dot] eu> discovered that
>isync does no SSL subject (hostname) verification.
>This means that any host with a valid certificate could pretend to be
>the wanted host, as long as the certificate store contained the relevant
>root certificate. This could be used for man-in-the-middle attacks, which
>could be used to steal passwords.
>Workaround: Specify a CertificateFile which contains only the wanted
>host's certificate, thus disabling trust chain based verification. Early
>versions of isync's SSL support tried to enforce this mode of operation.
>Isync releases 0.4 up to including 1.0.5 are affected. Version 1.0.6 has
>been just released to address the issue.

Note that this was disclosed to the distros@ list previously and had
been assigned the name CVE-2013-0289 (which the referenced patch notes
as well).

Vincent Danen / Red Hat Security Response Team 

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.