Bug 754980 (CVE-2011-4318)
Summary: | CVE-2011-4318 dovecot: proxy destination host name not checked against SSL certificate name | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Jan Lieskovsky <jlieskov> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | jrusnack, kvolny, mhlavink, scorneli, vdanen |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2013-02-22 04:34:52 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 754981, 885557 | ||
Bug Blocks: | 754985, 855229 |
Description
Jan Lieskovsky
2011-11-18 13:22:01 UTC
This issue did NOT affect the versions of the dovecot package, as shipped with Red Hat Enterprise Linux 4 and 5. -- This issue affects the versions of the dovecot package, as shipped with Red Hat Enterprise Linux 6. -- This issue affects the versions of the dovecot package, as shipped with Fedora release of 14, 15, and 16. Please schedule an update. Created dovecot tracking bugs for this issue Affects: fedora-all [bug 754981] CVE request: [6] http://www.openwall.com/lists/oss-security/2011/11/18/4 This issue was assigned the name CVE-2011-4318: http://www.openwall.com/lists/oss-security/2011/11/18/7 (In reply to comment #0) > Relevant upstream patch: > [5] http://hg.dovecot.org/dovecot-2.0/rev/5e9eaf63a6b1 Follow-up patch improving backwards compatibility with older versions. Name check is only done when proxy destination is identified using hostname and not when its IP address is used in the configuration: http://hg.dovecot.org/dovecot-2.0/rev/de8715e4d793 Dovecot versions 1.x do not allow using hostnames a proxy destinations, and 2.1 does not include this backwards compatibility workaround. For further details, see Timo Sirainen's mail: http://thread.gmane.org/gmane.comp.security.oss.general/6275/focus=6276 This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2013:0520 https://rhn.redhat.com/errata/RHSA-2013-0520.html Statement: (none) |