Bug 688755 (CVE-2011-1429) - CVE-2011-1429 mutt: SSL host name check may be skipped when verifying certificate chain
Summary: CVE-2011-1429 mutt: SSL host name check may be skipped when verifying certifi...
Keywords:
Status: ASSIGNED
Alias: CVE-2011-1429
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 688756 716889 716890
Blocks: 716430
TreeView+ depends on / blocked
 
Reported: 2011-03-17 22:13 UTC by Vincent Danen
Modified: 2019-09-29 12:43 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)
proposed patch - always check the first cert in chain (1.05 KB, patch)
2011-05-26 13:57 UTC, Honza Horak
no flags Details | Diff


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2011:0959 0 normal SHIPPED_LIVE Moderate: mutt security update 2011-07-19 18:01:55 UTC

Description Vincent Danen 2011-03-17 22:13:36 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2011-1429 to
the following vulnerability:

Name: CVE-2011-1429
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1429
Assigned: 20110316
Reference: http://seclists.org/fulldisclosure/2011/Mar/87
Reference: http://www.securityfocus.com/bid/46803
Reference: http://xforce.iss.net/xforce/xfdb/66015

Mutt does not verify that the smtps server hostname matches the domain
name of the subject of an X.509 certificate, which allows
man-in-the-middle attackers to spoof an SSL SMTP server via an
arbitrary certificate, a different vulnerability than CVE-2009-3766.

Comment 1 Vincent Danen 2011-03-17 22:14:33 UTC
Created mutt tracking bugs for this issue

Affects: fedora-all [bug 688756]

Comment 2 Jan Lieskovsky 2011-03-22 17:13:45 UTC
Upstream bug report:

http://dev.mutt.org/trac/ticket/3506

Comment 3 Honza Horak 2011-05-26 13:57:26 UTC
Created attachment 501098 [details]
proposed patch - always check the first cert in chain

Comment 9 Tomas Hoger 2011-06-27 11:00:34 UTC
As noted in the upstream bug report and later posts in the full-disclosure thread, this problem is not restricted to SMTP SSL connections as initial report and CVE description indicate, but rather is an SSL verification problem affecting other protocols (IMAP, POP3) too, and only affects mutt versions built with GnuTLS, and not OpenSSL.  The problem is caused by a bug in the code performing verifications of SSL certificate chain, that may cause host name check failure to be ignored if certificate was issued by a trusted CA.

This affected mutt in Red Hat Enterprise Linux 6.  The mutt versions in Red Hat Enterprise Linux 4 and 5 are built with OpenSSL, but they do not yet implement any host name checking (see bug #531011).

Comment 11 Tomas Hoger 2011-06-27 11:17:44 UTC
(In reply to comment #3)
> Created attachment 501098 [details]
> proposed patch - always check the first cert in chain

It seem the change as not been committed upstream yet, even though it was proposed a while ago.  Were there any concerns upstream regarding this fix?  Do we want to wait a bit longer for it to be accepted?

Comment 14 errata-xmlrpc 2011-07-19 18:02:01 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:0959 https://rhn.redhat.com/errata/RHSA-2011-0959.html


Note You need to log in before you can comment on or make changes to this bug.