Red Hat Bugzilla – Bug 909959
CVE-2013-0289 isync: Incorrect server's SSL x509.v3 certificate validation when performing IMAP synchronization
Last modified: 2013-04-30 19:54:39 EDT
A security flaw was found in the way isync, a command line application to synchronize IMAP4 and Maildir mailboxes, (previously) performed server's SSL x509.v3 certificate validation, when performing IMAP protocol based synchronization (server's hostname was previously not compared for match the CN field of the certificate). A rogue server could use this flaw to conduct man-in-the-middle (MiTM) attacks, possibly leading to disclosure of sensitive information.
Created attachment 696105 [details]
Proposed isync upstream patch (against the 1.0.x branch) to correct this issue
Created attachment 696107 [details]
Proposed isync upstream patch (against the master branch) to correct this issue
The CVE identifier of CVE-2013-0289 has been assigned to this issue.
This is now public:
And fixed in version 1.0.6 via this commit to git:
Created isync tracking bugs for this issue
Affects: fedora-all [bug 913221]
Affects: epel-all [bug 913222]