909959 – (CVE-2013-0289) CVE-2013-0289 isync: Incorrect server's SSL x509.v3 certificate validation when performing IMAP synchronization

Bug 909959 (CVE-2013-0289) - CVE-2013-0289 isync: Incorrect server's SSL x509.v3 certificate validation when performing IMAP synchronization

Summary: CVE-2013-0289 isync: Incorrect server's SSL x509.v3 certificate validation wh...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	CVE-2013-0289
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	913221 913222
Blocks:
TreeView+	depends on / blocked

Reported:	2013-02-11 14:25 UTC by Jan Lieskovsky
Modified:	2019-09-29 13:00 UTC (History)
CC List:	3 users (show)
Fixed In Version:	isync 1.0.6
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-05-13 06:51:07 UTC
Embargoed:

Attachments	(Terms of Use)
Proposed isync upstream patch (against the 1.0.x branch) to correct this issue (3.96 KB, patch) 2013-02-11 14:32 UTC, Jan Lieskovsky	no flags	Details \| Diff
Proposed isync upstream patch (against the master branch) to correct this issue (7.89 KB, patch) 2013-02-11 14:33 UTC, Jan Lieskovsky	no flags	Details \| Diff
View All

Description Jan Lieskovsky 2013-02-11 14:25:43 UTC

A security flaw was found in the way isync, a command line application to synchronize IMAP4 and Maildir mailboxes, (previously) performed server's SSL x509.v3 certificate validation, when performing IMAP protocol based synchronization (server's hostname was previously not compared for match the CN field of the certificate). A rogue server could use this flaw to conduct man-in-the-middle (MiTM) attacks, possibly leading to disclosure of sensitive information.

Comment 2 Jan Lieskovsky 2013-02-11 14:32:23 UTC

Created attachment 696105 [details]
Proposed isync upstream patch (against the 1.0.x branch) to correct this issue

Comment 3 Jan Lieskovsky 2013-02-11 14:33:03 UTC

Created attachment 696107 [details]
Proposed isync upstream patch (against the master branch) to correct this issue

Comment 5 Jan Lieskovsky 2013-02-15 12:07:33 UTC

The CVE identifier of CVE-2013-0289 has been assigned to this issue.

Comment 6 Vincent Danen 2013-02-20 16:40:29 UTC

This is now public:

http://www.openwall.com/lists/oss-security/2013/02/20/9

And fixed in version 1.0.6 via this commit to git:

http://isync.git.sourceforge.net/git/gitweb.cgi?p=isync/isync;a=patch;h=914ede18664980925628a9ed2a73ad05f85aeedb

Comment 7 Vincent Danen 2013-02-20 16:42:17 UTC

Created isync tracking bugs for this issue

Affects: fedora-all [bug 913221]
Affects: epel-all [bug 913222]

Comment 8 Christophe Fergeau 2019-05-13 06:50:49 UTC

The patch is present isync 1.1.0, all fedora versions have an isync version newer than that, this bug can be closed.

Comment 9 Christophe Fergeau 2019-05-13 06:51:55 UTC

epel has a much newer version these days (1.2.0) so this is fixed already.

Note You need to log in before you can comment on or make changes to this bug.