A Debian bug was filed about ssmtp not checking certificates: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=662960 And it includes a patch to enable checking of server certificates when using TLS: http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=5;filename=0003-Validate-the-server-certificate-when-using-TLS.patch;att=1;bug=662960 We should include this patch. Note that this isn't a security _flaw_ because the TLS file in the source tarball clearly states that this feature is missing: TODO: * Check server certificate for changes and notify about it. * Diffrent Certificate and Key file? This patch would be ideal to have in both Fedora and EPEL ssmtp packages.
*** Bug 864894 has been marked as a duplicate of this bug. ***
Please refer to the SRT bug for this (one of these is a dupe, but using this as the dupe rather than the SRT/CVE bug). *** This bug has been marked as a duplicate of bug 864894 ***