Date: Wed, 17 Feb 2021 20:06:00 +0200 From: Dimitrios Glynos <dimitris@...sus-labs.com> To: oss-security@...ts.openwall.com Subject: CVE-2021-26911: Canary Mail with IMAP STARTTLS missing certificate validation Hello, Rayd Debbas of CENSUS identified that Canary Mail versions 3.20 and 3.21 (and possibly previous versions) do not perform a certificate validation check when configured for IMAP in STARTTLS mode. This bug affects Canary Mail builds for Apple MacOS and iOS. It is thus possible to carry out a man-in-the-middle attack in such scenarios, and victim users receive no warning. More information about the issue can be found here: https://census-labs.com/news/2021/02/17/canary-mail-app-missing-certificate-validation-check-on-imap-starttls/ The creators of Canary Mail, have released version 3.22 of the software which addresses the issue. The relevant git commit can be found here: https://github.com/canarymail/mailcore2/commit/45acb4efbcaa57a20ac5127dc976538671fce018?branch=45acb4efbcaa57a20ac5127dc976538671fce018&diff=split CVE-2021-26911 was assigned to this issue by MITRE. Kind regards, Dimitris Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.