Bug 1149728 (CVE-2014-7273, CVE-2014-7274, CVE-2014-7275)

Summary: CVE-2014-7273 CVE-2014-7274 CVE-2014-7275 getmail: various flaws related to IMAP4-over-SSL certificate validation
Product: [Other] Security Response Reporter: Martin Prpič <mprpic>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: carnil, LotharLutz, ricky
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: getmail 4.46.0 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-10-28 19:59:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1149732    
Bug Blocks:    

Description Martin Prpič 2014-10-06 14:28:59 UTC 
Various security-related flaws were fixed in getmail versions 4.44, 4.45, and 4.46 [1]. The version of getmail in epel-6 is: getmail-4.40.1-1.el6. CVEs for these issues were requested at [2]. Fedora and EPEL-7 ship getmail-4.46 and are thus not affected.

[1] http://pyropus.ca/software/getmail/CHANGELOG
[2] http://seclists.org/oss-sec/2014/q4/134
Comment 1 Martin Prpič 2014-10-08 08:22:46 UTC 
MITRE assigned [1] three CVEs for these issues:

CVE-2014-7273: Getmail 4.0.0 through 4.43.0 allows IMAP MITM with an arbitrary certificate

CVE-2014-7274: Getmail 4.44.0 allows IMAP MITM with a valid/recognized certificate for an arbitrary hostname

CVE-2014-7275: Getmail 4.0.0 through 4.44.0 allows POP MITM with an arbitrary certificate

[1] http://seclists.org/oss-sec/2014/q4/199
Comment 2 Fedora Update System 2014-10-28 11:05:24 UTC 
getmail-4.46.0-2.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.