Bug 665386 (CVE-2010-4533)

Summary: CVE-2010-4533 OfflineIMAP: Disable SSLv2 protocol
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: choeger
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-19 09:17:02 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 665399    
Bug Blocks:    

Description Jan Lieskovsky 2010-12-23 14:31:43 UTC 
In commit:
[1] https://github.com/nicolas33/offlineimap/commit/4f57b94e2333c37c5a7251fc88dfeda9bc0b226a

when SSL server certificate validation support was added
to OfflineIMAP it was still possible to use SSL v2 protocol
version. Version 2 of SSL protocol version is known
to be prone to multiple deficiencies, each of them
having security implications (to mention some of them):
[2] http://en.wikipedia.org/wiki/Secure_Sockets_Layer#Security

Thus SSLv2 protocol version should be disabled in OfflineIMAP.

References:
[3] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=606962
Comment 1 Jan Lieskovsky 2010-12-23 14:53:18 UTC 
This issue affects the versions of the offlineimap package, as shipped
with Fedora release of 13 and 14.

Please schedule an update.

Note: According to python SSL module documentation:
      http://docs.python.org/library/ssl.html

      it should be possible to specify SSL version in 'wrap_socket()'
      routine ("ssl_version" argument). So it should be enough to
      specify appropriate value for it in imaplibutil.py:

121 +            self.sslobj = ssl.wrap_socket(self.sock, self.keyfile,
122 +                                          self.certfile,
123 +                                          ca_certs = self._cacertfile,
124 +                                          cert_reqs = requirecert)

(based on:
https://github.com/nicolas33/offlineimap/commit/4f57b94e2333c37c5a7251fc88dfeda9bc0b226a)
Comment 2 Jan Lieskovsky 2010-12-23 14:55:28 UTC 
CVE Request:
http://www.openwall.com/lists/oss-security/2010/12/23/2
Comment 3 Jan Lieskovsky 2010-12-23 15:17:33 UTC 
Created offlineimap tracking bugs for this issue

Affects: fedora-all [bug 665399]
Comment 4 Vincent Danen 2011-01-05 23:29:39 UTC 
This issue was assigned the name CVE-2010-4533:

http://article.gmane.org/gmane.comp.security.oss.general/4010