Bug 572232 (CVE-2010-0744)

Summary: CVE-2010-0744 aMSN: Improper SSL certificate validation (MITM) when connecting to the MSN server
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: sander
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://seclists.org/bugtraq/2009/Jun/239
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-04-21 13:01:01 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 572249    
Bug Blocks:    

Description Jan Lieskovsky 2010-03-10 15:50:42 UTC 
Gabriel Menezes Nunes reported:
  [1] http://seclists.org/bugtraq/2009/Jun/239

that aMSN messenger failed to properly validate SSL certificates
when connecting to the MSN server. A remote attacker could
use this flaw to conduct man-in-the-middle attacks and / or
impersonate trusted servers.

References:
  [2] http://www.juniper.net/security/auto/vulnerabilities/vuln35507.html
  [3] http://secunia.com/advisories/35621/
  [4] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572818

Some upstream aMSN-devel communication regarding the patch:
  [5] http://www.opensource-archive.org/showthread.php?p=183821

And relevant commit:
  [6] http://amsn.svn.sourceforge.net/viewvc/amsn/trunk/?view=log&pathrev=11991

CVE Request:
  [7] http://www.openwall.com/lists/oss-security/2010/03/10/4
Comment 1 Jan Lieskovsky 2010-03-10 16:18:55 UTC 
This issue affects the versions of the amsn package, as shipped
with Fedora releases of 11 and 12.

Please fix, once the proposed, upstream patch [6] gets stabilized.
Comment 3 Jan Lieskovsky 2010-04-03 16:14:39 UTC 
This is CVE-2010-0744.
Comment 4 Jan Lieskovsky 2010-04-03 16:16:55 UTC 
Sander,

  could you please build new amsn package for Fedora
releases of 11 and 12, with proposed upstream changes:
  [1] http://amsn.svn.sourceforge.net/viewvc/amsn?view=rev&revision=11991
  [2] http://amsn.svn.sourceforge.net/viewvc/amsn/trunk/amsn/ca-certs/?view=log
  anything else?

Thanks && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team
Comment 5 Fedora Update System 2010-04-24 13:36:44 UTC 
amsn-0.98.3-1.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/amsn-0.98.3-1.fc13
Comment 6 Fedora Update System 2010-04-24 13:47:07 UTC 
amsn-0.98.3-1.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/amsn-0.98.3-1.fc12
Comment 7 Fedora Update System 2010-04-24 13:58:34 UTC 
amsn-0.98.3-2.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/amsn-0.98.3-2.fc11
Comment 8 Fedora Update System 2010-04-25 13:50:14 UTC 
amsn-0.98.3-1.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2010-05-10 16:55:56 UTC 
amsn-0.98.3-1.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2010-05-10 17:08:05 UTC 
amsn-0.98.3-2.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.