oss-sec mailing list archives
Re: CVE Request -- OfflineIMAP -- 1), failed to validate remote SSL server certificate 2), allows SSLv2 protocol
From: Nicolas Sebrecht <nicolas.s-dev () laposte net>
Date: Thu, 23 Dec 2010 19:55:50 +0100
On Thu, Dec 23, 2010 at 03:43:40PM +0100, Jan Lieskovsky wrote:
I), Didn't check SSL server certificate Description: OfflineIMAP prior commit: [1] https://github.com/nicolas33/offlineimap/commit/4f57b94e2333c37c5a7251fc88dfeda9bc0b226a did not perform SSL server certificate validation, even when "ssl = yes" option was specified in the configuration file. If an attacker was able to get a carefully-crafted certificate signed by a Certificate Authority trusted by OfflineIMAP, the attacker could use the certificate during a man-in-the-middle attack and potentially confuse OfflineIMAP into accepting it by mistake. References: [2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=603450 [3] https://bugzilla.redhat.com/show_bug.cgi?id=665382
First of all, thank you very much Jan and all the Redhat team for reporting it up to the CVE database. The given patch from Sebastian Spaeth has been released in v6.3.2-rc1. I encourage distribution maintainers who want this fix to either deploy the RC release as is or backport the fix against the last release they own. I expect to release a new stable soon but I still didn't have feedback from users using SSL. The lack of feedback could mean that OfflineIMAP users don't expect SSL to work by still refering to the documentation they know (stating that SSL checks is not supported) or they don't hit problems at all. So, I'll wait a bit more before releasing the next stable.
II), Allows SSLv2 protocol Description: In commit: [4] https://github.com/nicolas33/offlineimap/commit/4f57b94e2333c37c5a7251fc88dfeda9bc0b226a when SSL server certificate validation support was added to OfflineIMAP it was still possible to use SSL v2 protocol version. Version 2 of SSL protocol version is known to be prone to multiple deficiencies, each of them having security implications (to mention some of them): [5] http://en.wikipedia.org/wiki/Secure_Sockets_Layer#Security Thus SSLv2 protocol version should be disabled in OfflineIMAP. References: [6] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=606962 [7] https://bugzilla.redhat.com/show_bug.cgi?id=665386
True.
Could you allocate CVE ids for these issues? (though opened for discussion of any / none of them worthy of it)
As the maintainer of OfflineIMAP, I think both issues should have their entry in the CVE List. Let us know if you want more clarifications. Regards, -- Nicolas Sebrecht
Current thread:
- CVE Request -- OfflineIMAP -- 1), failed to validate remote SSL server certificate 2), allows SSLv2 protocol Jan Lieskovsky (Dec 23)
- Re: CVE Request -- OfflineIMAP -- 1), failed to validate remote SSL server certificate 2), allows SSLv2 protocol dave b (Dec 23)
- Re: CVE Request -- OfflineIMAP -- 1), failed to validate remote SSL server certificate 2), allows SSLv2 protocol John Goerzen (Dec 23)
- Re: CVE Request -- OfflineIMAP -- 1), failed to validate remote SSL server certificate 2), allows SSLv2 protocol Nicolas Sebrecht (Dec 23)
- Re: CVE Request -- OfflineIMAP -- 1), failed to validate remote SSL server certificate 2), allows SSLv2 protocol Johannes Stezenbach (Dec 23)