20476 2009-06-17 12:17:07 +0400 CVE-2009-1390 Mutt X.509 Certificate Chain Security Bypass Vulnerability 2009-06-24 10:30:17 +0400 1 1 4 Development Sisyphus mutt1.5 unstable all Linux CLOSED FIXED http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1390 security P3 critical --- 1 crux nobody qa-sisyphus oldest_to_newest 93186 0 crux 2009-06-17 12:17:07 +0400 Mutt 1.5.19, when linked against (1) OpenSSL (mutt_ssl.c) or (2) GnuTLS (mutt_ssl_gnutls.c), allows connections when only one TLS certificate in the chain is accepted instead of verifying the entire chain, which allows remote attackers to spoof trusted servers via a man-in-the-middle attack. Fixed in hg: http://dev.mutt.org/hg/mutt/rev/8f11dd00c770 http://dev.mutt.org/hg/mutt/rev/64bf199c8d8a 93294 1 crux 2009-06-19 09:13:20 +0400 Released 1.5.20: http://marc.info/?l=mutt-announce&m=124500824219953&w=2 93304 2 raorn 2009-06-19 15:00:18 +0400 Да, я в курсе. Занимаюсь притиранием шестидесяти левых патчей. 93410 3 repository-robot 2009-06-21 20:40:16 +0400 mutt1.5-3:1.5.20-alt1 -> sisyphus: * Sun Jun 21 2009 Alexey I. Froloff <raorn@altlinux> 3:1.5.20-alt1 - [1.5.20] (closes: #20476) ! $fcc_attach is a quadoption now + $honor_disposition to honor Content-Disposition headers + $search_context specifies number of context lines for search results in pager/page-based menus ! ssl_use_sslv2 defaults to no + uncolor works for header + body objects, too + the "flagged" and "replied" flags are enabled/supported for POP when built with header caching ! browser correctly displays maildir's mtime + <set-flag> and <clear-flag> work in the pager, too + ~x pattern also matches against In-Reply-To + lower case patterns for string searches perform case-insensitive search as regex patterns do (except IMAP) + $ssl_verify_dates controls whether mutt checks the validity period of SSL certificates + $ssl_verify_hostname controls whether mutt will accept certificates whose host names do not match the host name in the folder URL. - Removed dependency on perl(timelocal.pl) (closes: #7061) 93606 4 crux 2009-06-24 10:30:17 +0400 closed