Common Vulnerabilities and Exposures assigned an identifier CVE-2009-3765 to the following vulnerability: mutt_ssl.c in mutt 1.5.19 and 1.5.20, when OpenSSL is used, does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408. References: ----------- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3765 http://marc.info/?l=oss-security&m=125198917018936&w=2 http://marc.info/?l=oss-security&m=125369675820512&w=2 http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00001.html Upstream patch: --------------- http://dev.mutt.org/trac/changeset/6016:dc09812e63a3/mutt_ssl.c
This issue does NOT affect the versions of the mutt package, as shipped with Red Hat Enteprise Linux 3, 4, and 5. This issue affects the versions of the mutt package, as shipped with Fedora release of 10 and 11, and as scheduled to appear in Fedora release of 12. Please fix.
(In reply to comment #1) > This issue affects the versions of the mutt package, as shipped with > Fedora release of 10 and 11, and as scheduled to appear in Fedora > release of 12. mutt versions in current Fedora versions use GnuTLS and not OpenSSL and hence are not affected by this flaw.
(In reply to comment #1) > This issue does NOT affect the versions of the mutt package, as shipped > with Red Hat Enteprise Linux 3, 4, and 5. Those version are "not affected", as they do not perform name checking at all, see bug #531011 / CVE-2009-3766 for further details.