Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 13 Nov 2013 02:21:57 -0500
From: Daniel Kahn Gillmor <dkg@...thhorseman.net>
To: oss-security@...ts.openwall.com
CC: 729028@...s.debian.org, Simon Horman <horms@...ge.net.au>
Subject: perdition: ssl_outgoing_ciphers not applied to STARTTLS connections

Perdition, the IMAP and POP proxy server, fails to apply the
administrator's specified ciphersuite preferences when making outbound
connections to IMAP and POP servers using STARTTLS.  For these outbound
connections, it applies the administrator's listening ciphersuite
preferences, which in many cases may be significantly weaker.

This was first noted publicly on the debian BTS:

  http://bugs.debian.org/729028

All versions of perdition up to 2.0 appear to be affected, and the fix
is a one-line patch.

This is not a critical vulnerability (it can be mitigated, for example,
by enforcing a strict minimalist ciphersuite on the backend server), but
in the absence of any such mitigation, it may cause the connections
between the proxy server and the backend server to negotiate a weaker
ciphersuite than the administrator's stated intent.

Could a CVE be issued for this issue?

Thanks,

	--dkg


Download attachment "signature.asc" of type "application/pgp-signature" (1028 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.