A security flaw was found in the way isync, a command line application to synchronize IMAP4 and Maildir mailboxes, (previously) performed server's SSL x509.v3 certificate validation, when performing IMAP protocol based synchronization (server's hostname was previously not compared for match the CN field of the certificate). A rogue server could use this flaw to conduct man-in-the-middle (MiTM) attacks, possibly leading to disclosure of sensitive information.
Created attachment 696105 [details] Proposed isync upstream patch (against the 1.0.x branch) to correct this issue
Created attachment 696107 [details] Proposed isync upstream patch (against the master branch) to correct this issue
The CVE identifier of CVE-2013-0289 has been assigned to this issue.
This is now public: http://www.openwall.com/lists/oss-security/2013/02/20/9 And fixed in version 1.0.6 via this commit to git: http://isync.git.sourceforge.net/git/gitweb.cgi?p=isync/isync;a=patch;h=914ede18664980925628a9ed2a73ad05f85aeedb
Created isync tracking bugs for this issue Affects: fedora-all [bug 913221] Affects: epel-all [bug 913222]
The patch is present isync 1.1.0, all fedora versions have an isync version newer than that, this bug can be closed.
epel has a much newer version these days (1.2.0) so this is fixed already.