Bug 504979 (CVE-2009-1390)

Summary: CVE-2009-1390 Mutt 1.5.19 SSL chain verification flaw
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: mlichvar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-06-16 06:54:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Tomas Hoger 2009-06-10 09:55:04 UTC 
Mutt version 1.5.19 introduced a support for intermediate CA certs,
available when mutt is linked against both OpenSSL and GnuTLS, added
via upstream commits:

http://dev.mutt.org/trac/changeset/5621:5db868a874b6/mutt_ssl.c
http://dev.mutt.org/trac/changeset/5623:7d0583e0315d/mutt_ssl_gnutls.c

Miroslav Lichvar noticed that a certificate chain validation was not
implemented properly.  Individual certificates in the chain where
checked and accepted, but the chain as a whole as not validated
properly.

Issue was addressed via following upstream patches:

http://dev.mutt.org/trac/changeset?new=5870:dc9ec900c657@mutt_ssl.c&old=5699:1238dff54a15@mutt_ssl.c
http://dev.mutt.org/trac/changeset?new=5853:0b13183e40e0@mutt_ssl_gnutls.c&old=5699:1238dff54a15@mutt_ssl_gnutls.c
Comment 1 Tomas Hoger 2009-06-10 09:58:29 UTC 
This issue only affects mutt 1.5.19, version of mutt shipped in Red Hat Enterprise Linux 3, 4, and 5, and Fedora 9 and 10 are not affected by this problem.
Comment 2 Fedora Update System 2009-06-16 02:41:22 UTC 
mutt-1.5.19-5.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.