Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 14 Nov 2013 20:59:17 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: 729028@...s.debian.org, Simon Horman <horms@...ge.net.au>
Subject: Re: perdition: ssl_outgoing_ciphers not applied to
 STARTTLS connections

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/13/2013 12:21 AM, Daniel Kahn Gillmor wrote:
> Perdition, the IMAP and POP proxy server, fails to apply the 
> administrator's specified ciphersuite preferences when making
> outbound connections to IMAP and POP servers using STARTTLS.  For
> these outbound connections, it applies the administrator's
> listening ciphersuite preferences, which in many cases may be
> significantly weaker.
> 
> This was first noted publicly on the debian BTS:
> 
> http://bugs.debian.org/729028
> 
> All versions of perdition up to 2.0 appear to be affected, and the
> fix is a one-line patch.
> 
> This is not a critical vulnerability (it can be mitigated, for
> example, by enforcing a strict minimalist ciphersuite on the
> backend server), but in the absence of any such mitigation, it may
> cause the connections between the proxy server and the backend
> server to negotiate a weaker ciphersuite than the administrator's
> stated intent.
> 
> Could a CVE be issued for this issue?
> 
> Thanks,
> 
> --dkg
> 

Please use CVE-2013-4584for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)

iQIcBAEBAgAGBQJShZwUAAoJEBYNRVNeJnmTBjwP/A2Vlei1HYf9w8wFNcOkwyLd
1ZDKp4zaRymcVlrWYvm4bDXuHh0VWe84o1bGM5YHpQ5RXNSAQ7nzwHtIKKp9vbL8
r7Zd5bUwTHLIAs2J+fA10CIDaOma7LJFeUKLPMr2IJtV+ZssKVlazVm+oniQPEkR
PoQZyWYAM/kjs4KOsabW6c1eRLcew4BCimKdnFEfg+JWyC84Jn9DWMD09RwpUexN
vkiMs3oohqkfXFSS6LnSnYN9h/Ni1otJmbjp0tyFu/+MMCk5w2XehnIUB3RuPdwW
HaVxjyXzALQWIMn4PZ9xowtmXjyj1/tsKEfYh/2jkb1ll7t+PUnE3NtxXKnzLAXb
JXa9zmyOZ4TS1j9bfL8A99BgkcdQcfQeWpx/5IgN4yiNcPpRDSKKUUpUVUuknydP
rf9hzvIh/F0kzgSIHbPZ6HwlC6AWksx8jdwQ8+Xvpks97CP3OA/2pLgdfpKSjwPX
giEWeFjkxEdinYZr9jeoz/tSz/NwVVkC/R7kc3ncRPOBuzucm8sFhwJQ4T8QWTDd
Kz09I1twWnoY4kTCdeVdKMwVmsz6YRwka3XIjQnmJEIGb0tDxFbZDozLFQxYgkic
t1ireQQPK084k9wAVjvh2ZrcHJXnjZ6MyFvgucrPgQWJXXy084xC8kNpO/6eFAFs
GDFmRUBuNGPWzDmKl2yt
=J/Xd
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.