In commit: [1] https://github.com/nicolas33/offlineimap/commit/4f57b94e2333c37c5a7251fc88dfeda9bc0b226a when SSL server certificate validation support was added to OfflineIMAP it was still possible to use SSL v2 protocol version. Version 2 of SSL protocol version is known to be prone to multiple deficiencies, each of them having security implications (to mention some of them): [2] http://en.wikipedia.org/wiki/Secure_Sockets_Layer#Security Thus SSLv2 protocol version should be disabled in OfflineIMAP. References: [3] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=606962
This issue affects the versions of the offlineimap package, as shipped with Fedora release of 13 and 14. Please schedule an update. Note: According to python SSL module documentation: http://docs.python.org/library/ssl.html it should be possible to specify SSL version in 'wrap_socket()' routine ("ssl_version" argument). So it should be enough to specify appropriate value for it in imaplibutil.py: 121 + self.sslobj = ssl.wrap_socket(self.sock, self.keyfile, 122 + self.certfile, 123 + ca_certs = self._cacertfile, 124 + cert_reqs = requirecert) (based on: https://github.com/nicolas33/offlineimap/commit/4f57b94e2333c37c5a7251fc88dfeda9bc0b226a)
CVE Request: http://www.openwall.com/lists/oss-security/2010/12/23/2
Created offlineimap tracking bugs for this issue Affects: fedora-all [bug 665399]
This issue was assigned the name CVE-2010-4533: http://article.gmane.org/gmane.comp.security.oss.general/4010