Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 688755 - (CVE-2011-1429) CVE-2011-1429 mutt: SSL host name check may be skipped when verifying certificate chain
CVE-2011-1429 mutt: SSL host name check may be skipped when verifying certifi...
Status: ASSIGNED
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20110308,repor...
: Security
Depends On: 688756 716889 716890
Blocks: 716430
  Show dependency treegraph
 
Reported: 2011-03-17 18:13 EDT by Vincent Danen
Modified: 2015-11-24 09:39 EST (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
proposed patch - always check the first cert in chain (1.05 KB, patch)
2011-05-26 09:57 EDT, Honza Horak 		no flags Details | Diff
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2011:0959 normal SHIPPED_LIVE Moderate: mutt security update 2011-07-19 14:01:55 EDT

  None (edit)
Description Vincent Danen 2011-03-17 18:13:36 EDT 
Common Vulnerabilities and Exposures assigned an identifier CVE-2011-1429 to
the following vulnerability:

Name: CVE-2011-1429
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1429
Assigned: 20110316
Reference: http://seclists.org/fulldisclosure/2011/Mar/87
Reference: http://www.securityfocus.com/bid/46803
Reference: http://xforce.iss.net/xforce/xfdb/66015

Mutt does not verify that the smtps server hostname matches the domain
name of the subject of an X.509 certificate, which allows
man-in-the-middle attackers to spoof an SSL SMTP server via an
arbitrary certificate, a different vulnerability than CVE-2009-3766.
Comment 1 Vincent Danen 2011-03-17 18:14:33 EDT 
Created mutt tracking bugs for this issue

Affects: fedora-all [bug 688756]
Comment 2 Jan Lieskovsky 2011-03-22 13:13:45 EDT 
Upstream bug report:

http://dev.mutt.org/trac/ticket/3506
Comment 3 Honza Horak 2011-05-26 09:57:26 EDT 
Created attachment 501098 [details]
proposed patch - always check the first cert in chain
Comment 9 Tomas Hoger 2011-06-27 07:00:34 EDT 
As noted in the upstream bug report and later posts in the full-disclosure thread, this problem is not restricted to SMTP SSL connections as initial report and CVE description indicate, but rather is an SSL verification problem affecting other protocols (IMAP, POP3) too, and only affects mutt versions built with GnuTLS, and not OpenSSL.  The problem is caused by a bug in the code performing verifications of SSL certificate chain, that may cause host name check failure to be ignored if certificate was issued by a trusted CA.

This affected mutt in Red Hat Enterprise Linux 6.  The mutt versions in Red Hat Enterprise Linux 4 and 5 are built with OpenSSL, but they do not yet implement any host name checking (see bug #531011).
Comment 11 Tomas Hoger 2011-06-27 07:17:44 EDT 
(In reply to comment #3)
> Created attachment 501098 [details]
> proposed patch - always check the first cert in chain

It seem the change as not been committed upstream yet, even though it was proposed a while ago.  Were there any concerns upstream regarding this fix?  Do we want to wait a bit longer for it to be accepted?
Comment 14 errata-xmlrpc 2011-07-19 14:02:01 EDT 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:0959 https://rhn.redhat.com/errata/RHSA-2011-0959.html
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.