700648 – (CVE-2011-1429) VUL-0: CVE-2011-1429: mutt: incorrect SSL verification

Bug 700648 (CVE-2011-1429) - VUL-0: CVE-2011-1429: mutt: incorrect SSL verification

Summary: VUL-0: CVE-2011-1429: mutt: incorrect SSL verification

Status:	RESOLVED FIXED

Alias:	CVE-2011-1429

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	General (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P5 - None Severity: Major
Target Milestone:	---
Assignee:	Dr. Werner Fink
QA Contact:	E-mail List

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2011-06-17 16:05 UTC by Thomas Biege
Modified:	2014-05-13 14:48 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Thomas Biege 2011-06-17 16:05:26 UTC

Hi.
There is a security bug in package 'mutt'.

This bug is public.

There is no coordinated release date (CRD) set.

CVE number: CVE-2011-1429
CVE description: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1429
CVSS v2 Base Score: 5.8 (moderate) (AV:N/AC:M/Au:N/C:P/I:P/A:N)
Input Validation (CWE-20)


Original posting:



CVE-2011-1429

Mutt does not verify that the smtps server hostname matches the domain
name of the subject of an X.509 certificate, which allows man-in-the-middle
attackers to spoof an SSL SMTP server via an arbitrary certificate, a
different vulnerability th

Comment 1 Dr. Werner Fink 2011-06-17 16:51:31 UTC

The fix is missed

Comment 2 Ludwig Nussel 2011-06-20 08:11:49 UTC

http://dev.mutt.org/trac/ticket/3506

Comment 3 Dr. Werner Fink 2011-06-20 08:15:35 UTC

Already found

Comment 4 Ludwig Nussel 2011-06-20 08:22:26 UTC

The upstream report refers to gnutls only. I think we have mutt linked against openssl everywhere.

Comment 5 Dr. Werner Fink 2011-06-20 10:46:31 UTC

(In reply to comment #4)

Does this mean we should skip any update concerning the
gnutls security bug?

Comment 6 Dr. Werner Fink 2011-06-20 13:26:28 UTC

submitted a fixed version to factory even if not used

Comment 7 Ludwig Nussel 2011-06-20 13:46:35 UTC

ok, thanks.

Comment 8 Bernhard Wiedemann 2011-06-20 14:00:27 UTC

This is an autogenerated message for OBS integration:
This bug (700648) was mentioned in
https://build.opensuse.org/request/show/74206 Factory / mutt

Comment 9 Leonardo Chiquitto 2011-06-23 21:57:42 UTC

> The upstream report refers to gnutls only. I think we have mutt linked against
> openssl everywhere.

This means the bug doesn't exist on SLES, right?

Comment 10 Thomas Biege 2011-06-24 12:31:00 UTC

(In reply to comment #9)
> > The upstream report refers to gnutls only. I think we have mutt linked against
> > openssl everywhere.
> 
> This means the bug doesn't exist on SLES, right?

Yes.