Common Vulnerabilities and Exposures assigned an identifier CVE-2011-1429 to
the following vulnerability:
Mutt does not verify that the smtps server hostname matches the domain
name of the subject of an X.509 certificate, which allows
man-in-the-middle attackers to spoof an SSL SMTP server via an
arbitrary certificate, a different vulnerability than CVE-2009-3766.
Created mutt tracking bugs for this issue
Affects: fedora-all [bug 688756]
Upstream bug report:
Created attachment 501098 [details]
proposed patch - always check the first cert in chain
As noted in the upstream bug report and later posts in the full-disclosure thread, this problem is not restricted to SMTP SSL connections as initial report and CVE description indicate, but rather is an SSL verification problem affecting other protocols (IMAP, POP3) too, and only affects mutt versions built with GnuTLS, and not OpenSSL. The problem is caused by a bug in the code performing verifications of SSL certificate chain, that may cause host name check failure to be ignored if certificate was issued by a trusted CA.
This affected mutt in Red Hat Enterprise Linux 6. The mutt versions in Red Hat Enterprise Linux 4 and 5 are built with OpenSSL, but they do not yet implement any host name checking (see bug #531011).
(In reply to comment #3)
> Created attachment 501098 [details]
> proposed patch - always check the first cert in chain
It seem the change as not been committed upstream yet, even though it was proposed a while ago. Were there any concerns upstream regarding this fix? Do we want to wait a bit longer for it to be accepted?
This issue has been addressed in following products:
Red Hat Enterprise Linux 6
Via RHSA-2011:0959 https://rhn.redhat.com/errata/RHSA-2011-0959.html