Bug 909959 - (CVE-2013-0289) CVE-2013-0289 isync: Incorrect server's SSL x509.v3 certificate validation when performing IMAP synchronization
CVE-2013-0289 isync: Incorrect server's SSL x509.v3 certificate validation wh...
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20130220,repor...
: Security
Depends On: 913222 913221
Blocks:
  Show dependency treegraph
 
Reported: 2013-02-11 09:25 EST by Jan Lieskovsky
Modified: 2013-04-30 19:54 EDT (History)
2 users (show)

See Also:
Fixed In Version: isync 1.0.6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Proposed isync upstream patch (against the 1.0.x branch) to correct this issue (3.96 KB, patch)
2013-02-11 09:32 EST, Jan Lieskovsky
no flags Details | Diff
Proposed isync upstream patch (against the master branch) to correct this issue (7.89 KB, patch)
2013-02-11 09:33 EST, Jan Lieskovsky
no flags Details | Diff

  None (edit)
Description Jan Lieskovsky 2013-02-11 09:25:43 EST
A security flaw was found in the way isync, a command line application to synchronize IMAP4 and Maildir mailboxes, (previously) performed server's SSL x509.v3 certificate validation, when performing IMAP protocol based synchronization (server's hostname was previously not compared for match the CN field of the certificate). A rogue server could use this flaw to conduct man-in-the-middle (MiTM) attacks, possibly leading to disclosure of sensitive information.
Comment 2 Jan Lieskovsky 2013-02-11 09:32:23 EST
Created attachment 696105 [details]
Proposed isync upstream patch (against the 1.0.x branch) to correct this issue
Comment 3 Jan Lieskovsky 2013-02-11 09:33:03 EST
Created attachment 696107 [details]
Proposed isync upstream patch (against the master branch) to correct this issue
Comment 5 Jan Lieskovsky 2013-02-15 07:07:33 EST
The CVE identifier of CVE-2013-0289 has been assigned to this issue.
Comment 7 Vincent Danen 2013-02-20 11:42:17 EST
Created isync tracking bugs for this issue

Affects: fedora-all [bug 913221]
Affects: epel-all [bug 913222]

Note You need to log in before you can comment on or make changes to this bug.