Date: Mon, 6 Oct 2014 18:47:05 +0000 From: mancha <mancha1@...o.com> To: cve-assign@...re.org Cc: oss-security@...ts.openwall.com Subject: Re: CVE Request(s): Getmail 4 On Mon, Oct 06, 2014 at 11:45:27AM -0400, cve-assign@...re.org wrote: > > http://pyropus.ca/software/getmail/CHANGELOG > > > Getmail 4.45.0 added IMAP4-over-SSL certificate hostname validation. > > POP3-over-SSL remained vulnerable to MITM attacks. > > The CHANGELOG says: > > Version 4.46.0 > > -add missing support for SSL certificate checking in POP3 which > broke POP retrieval in v4.45.0. Requires Python 2.6 or newer. > Thanks: "mancha". > > This depends on the interpretation of "broke POP retrieval." > > Do you mean that, in version 4.45.0, the client sent credentials over > a POP3-over-SSL connection, and actual POP3 mail retrieval failed > after credentials had already been sent? That behavior could have a > CVE ID. > > Or do you mean that, in version 4.45.0, the POP3-over-SSL connection > was never fully established, and the client would not have sent > credentials? In other words, a MITM attack could succeed but there > would be no security impact? That behavior would not have a CVE ID. It's closer to the 2nd than the first. POP3-over-SSL stopped working altogether and credentials were not sent over the wire: Getmail 4.45.0: *Includes support for certificate hostname validation to be used with IMAP4-over-SSL only.  *A regression was introduced because ssl_match_hostname() calls (for immediate use with IMAP4-over-SSL and future use with POP3-over-SSL) and related code were prematurely added to the POP3-over-SSL retrievers.  Getmail 4.46.0: *Includes POP3-over-SSL support for: a) certificate verification against a root store; b) certificate validation against an anchor fingerprint; c) certificate hostname match validation.  In sum, the regression in 4.45.0 has no security impact and is orthogonal to the CVE request. Hope this clarifies (below matrix might help further). --mancha  http://article.gmane.org/gmane.mail.getmail.user/5124  http://article.gmane.org/gmane.mail.getmail.user/5150  http://article.gmane.org/gmane.mail.getmail.user/5147 ==== SSL Support Matrix Version IMAP4-over-SSL POP3-over-SSL 4.0.0-4.43.0 No cert validation No cert validation 4.44.0 Partial cert validation(a) No cert validation 4.45.0 Full cert validation No cert validation(b) 4.46.0 Full cert validation Full cert validation (a) lacking certificate hostname checks (b) still lacking cert validation infrastructure though a regression broke these retrievers entirely Content of type "application/pgp-signature" skipped
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.