OfflineIMAP prior commit: [1] https://github.com/nicolas33/offlineimap/commit/4f57b94e2333c37c5a7251fc88dfeda9bc0b226a did not perform SSL server certificate validation, even when "ssl = yes" option was specified in the configuration file. If an attacker was able to get a carefully-crafted certificate signed by a Certificate Authority trusted by OfflineIMAP, the attacker could use the certificate during a man-in-the-middle attack and potentially confuse OfflineIMAP into accepting it by mistake. References: [2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=603450
This issue affects the versions of the offlineimap package, as shipped with Fedora release of 13 and 14. Please schedule an update with the above patch. Note: OfflineIMAP v6.3.1 was also released: [1] http://permalink.gmane.org/gmane.mail.imap.offlineimap.general/2138 but didn't check if it contains the change already.
CVE Request: http://www.openwall.com/lists/oss-security/2010/12/23/2
Created offlineimap tracking bugs for this issue Affects: fedora-all [bug 665399]
This issue was assigned the name CVE-2010-4532: http://article.gmane.org/gmane.comp.security.oss.general/4010