Bug 665382 (CVE-2010-4532)

Summary: CVE-2010-4532 OfflineIMAP: Doesn't check SSL server certificate
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: choeger
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-19 09:16:56 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 665399    
Bug Blocks:    

Description Jan Lieskovsky 2010-12-23 14:24:29 UTC 
OfflineIMAP prior commit:
[1] https://github.com/nicolas33/offlineimap/commit/4f57b94e2333c37c5a7251fc88dfeda9bc0b226a

did not perform SSL server certificate validation,
even when "ssl = yes" option was specified in the
configuration file. If an attacker was able to get 
a carefully-crafted certificate signed by a 
Certificate Authority trusted by OfflineIMAP, 
the attacker could use the certificate during a 
man-in-the-middle attack and potentially confuse 
OfflineIMAP into accepting it by mistake.

References:
[2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=603450
Comment 1 Jan Lieskovsky 2010-12-23 14:46:25 UTC 
This issue affects the versions of the offlineimap package, as shipped
with Fedora release of 13 and 14.

Please schedule an update with the above patch.

Note: OfflineIMAP v6.3.1 was also released:
      [1] http://permalink.gmane.org/gmane.mail.imap.offlineimap.general/2138
     
      but didn't check if it contains the change already.
Comment 2 Jan Lieskovsky 2010-12-23 14:55:13 UTC 
CVE Request:
http://www.openwall.com/lists/oss-security/2010/12/23/2
Comment 3 Jan Lieskovsky 2010-12-23 15:17:16 UTC 
Created offlineimap tracking bugs for this issue

Affects: fedora-all [bug 665399]
Comment 4 Vincent Danen 2011-01-05 23:28:48 UTC 
This issue was assigned the name CVE-2010-4532:

http://article.gmane.org/gmane.comp.security.oss.general/4010