Date: Mon, 6 Oct 2014 11:45:27 -0400 (EDT) From: cve-assign@...re.org To: mancha1@...o.com Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: CVE Request(s): Getmail 4 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > http://pyropus.ca/software/getmail/CHANGELOG > Getmail 4.45.0 added IMAP4-over-SSL certificate hostname validation. > POP3-over-SSL remained vulnerable to MITM attacks. The CHANGELOG says: Version 4.46.0 -add missing support for SSL certificate checking in POP3 which broke POP retrieval in v4.45.0. Requires Python 2.6 or newer. Thanks: "mancha". This depends on the interpretation of "broke POP retrieval." Do you mean that, in version 4.45.0, the client sent credentials over a POP3-over-SSL connection, and actual POP3 mail retrieval failed after credentials had already been sent? That behavior could have a CVE ID. Or do you mean that, in version 4.45.0, the POP3-over-SSL connection was never fully established, and the client would not have sent credentials? In other words, a MITM attack could succeed but there would be no security impact? That behavior would not have a CVE ID. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJUMrhZAAoJEKllVAevmvmstp0IAID4JjHJCsog98/a4SFblxRN 0pC7f/DpX/5izj2i1kBdRU1u+wgrmoikbXeyck50coamD5e+xD94/P2I+aEhO90R 9Xp3GWaLvghmdAjAXpA9KqHgrKU9F2PVHZW6j1eAalc4qCM6b6Dgi1bERLcJRPAI oKZ4U/nb72HnS2y3U3GeVOvH6DnXaahvlGT06cSrTFQwoN6r5Azr037xygxMvDKk ch4viXJ7S4Rm/vKntjb0XHdBO6oRP5qFDIHY73TBpcuAesmkrYmL1rFgDkWa3lXq fyktjdFfuQlDkzZL9hQo4HHvZey2kgSQPK1ZninGO/Yj1KvAHG/1VrIJzxhbPmY= =8/LZ -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.