You are here
Home > Preporuke > Sigurnosni nedostaci programskog paketa getmail4

Sigurnosni nedostaci programskog paketa getmail4

by ncert - 0

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256

– ————————————————————————-
Debian Security Advisory DSA-3091-1 security@debian.org
http://www.debian.org/security/ Giuseppe Iuculano
December 07, 2014 http://www.debian.org/security/faq
– ————————————————————————-

Package : getmail4
CVE ID : CVE-2014-7273 CVE-2014-7274 CVE-2014-7275
Debian Bug : 766670

Several vulnerabilities have been discovered in getmail4, a mail
retriever with support for POP3, IMAP4 and SDPS, that could allow
man-in-the-middle attacks.

CVE-2014-7273

The IMAP-over-SSL implementation in getmail 4.0.0 through 4.43.0
does not verify X.509 certificates from SSL servers, which allows
man-in-the-middle attackers to spoof IMAP servers and obtain
sensitive information via a crafted certificate.

CVE-2014-7274

The IMAP-over-SSL implementation in getmail 4.44.0 does not verify
that the server hostname matches a domain name in the subject’s
Common Name (CN) field of the X.509 certificate, which allows
man-in-the-middle attackers to spoof IMAP servers and obtain
sensitive information via a crafted certificate from a recognized
Certification Authority.

CVE-2014-7275

The POP3-over-SSL implementation in getmail 4.0.0 through 4.44.0
does not verify X.509 certificates from SSL servers, which allows
man-in-the-middle attackers to spoof POP3 servers and obtain
sensitive information via a crafted certificate.

For the stable distribution (wheezy), these problems have been fixed in
version 4.46.0-1~deb7u1.

For the upcoming stable distribution (jessie), these problems have been
fixed in version 4.46.0-1.

For the unstable distribution (sid), these problems have been fixed in
version 4.46.0-1.

We recommend that you upgrade your getmail4 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1

iQIcBAEBCAAGBQJUhHzhAAoJEI9hzo2UfbETr1QP/isuRRWrrQPc2NiG7uLMDHwZ
7BRv//sLKpydFHLBrv6HSNo+o/6ijI8XI8JSaq4li9zZsXp6a0uiGOkm5zRXGAaA
kdFgGTeLYXhdECFeVu2ITobKWc1gx0Eq0prsf1nFfOWnNsOqfeq6xzj0zlHszWsZ
TN3eanmN47zVJ5cdEjlMick3LyGzkFFju+s5/Rlck8UkplBXM0+gpFbyaTJzpFuc
iFHPHSmPGADeLKre4DuZXSVsvDvfFJWYyGpVB7APmwMqDao6usYzE+ML98Z6aoj8
YeawH67YypWyeccLvi1bZvb+9hr8iaReqRpFSADVVo/m7RcPrmAnxSgLQHItS8AT
E7BwM4KCXbRyj7pTZfBN4YTwhCqoXKZCojERg+9PuM068tJe+GzcNFfvl0Ygli7Y
m6u7DxgeMs9YEfwqbZzIbtqK0w4uVdt/kGpYw8KG/FeZrYjXu602wWrUfVQd5mDH
XB0Kt56sH7KTUcjdQB2QNjNY4NjIR3k4CWUQOZ/2xSKZUWiYLqTfNO1uSkLhLWv/
VulZZU/iIdlz2X1MRGZ8ohH271No4Q9Bz+/6H6qIXJpyVax3LDewLRg5aWliemyo
jU69x4uwZIarB+LhuRVnAONAnRybQQGJH1bXlDyeQP9++QvP9V0MEYoONujLPMUE
CPMvXGkJd5PSFn/iVQrc
=OzmR
—–END PGP SIGNATURE—–


To UNSUBSCRIBE, email to debian-security-announce-REQUEST@lists.debian.org
with a subject of “unsubscribe”. Trouble? Contact listmaster@lists.debian.org
Archive: https://lists.debian.org/20141207161425.GA28829@sd6-work.iuculano.it

ncert
Top
More in Preporuke
Sigurnosni propust programskog paketa kwebkitpart

Kod programskog paketa kwebkitpart otkriven je propust uzrokovan neispravnim upravljanjem provjere unesenih parametara. Napadač je propust potencijalno mogao iskoristiti za...

Close