Bug 20476 - CVE-2009-1390 Mutt X.509 Certificate Chain Security Bypass Vulnerability
Summary: CVE-2009-1390 Mutt X.509 Certificate Chain Security Bypass Vulnerability
Alias: None
Product: Sisyphus
Classification: Development
Component: mutt1.5 (show other bugs)
Version: unstable
Hardware: all Linux
: P3 critical
Assignee: Nobody's working on this, feel free to take it
QA Contact: qa-sisyphus
URL: http://web.nvd.nist.gov/view/vuln/det...
Keywords: security
Depends on:
Reported: 2009-06-17 12:17 MSD by Vladimir Lettiev
Modified: 2009-06-24 10:30 MSD (History)
0 users

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Vladimir Lettiev 2009-06-17 12:17:07 MSD
Mutt 1.5.19, when linked against (1) OpenSSL (mutt_ssl.c) or (2) GnuTLS (mutt_ssl_gnutls.c), allows connections when only one TLS certificate in the chain is accepted instead of verifying the entire chain, which allows remote attackers to spoof trusted servers via a man-in-the-middle attack.

Fixed in hg:
Comment 1 Vladimir Lettiev 2009-06-19 09:13:20 MSD
Released 1.5.20: http://marc.info/?l=mutt-announce&m=124500824219953&w=2
Comment 2 Sir Raorn 2009-06-19 15:00:18 MSD
Да, я в курсе.  Занимаюсь притиранием шестидесяти левых патчей.
Comment 3 Repository Robot 2009-06-21 20:40:16 MSD
mutt1.5-3:1.5.20-alt1 -> sisyphus:

* Sun Jun 21 2009 Alexey I. Froloff <raorn@altlinux> 3:1.5.20-alt1

- [1.5.20] (closes: #20476)
  ! $fcc_attach is a quadoption now
  + $honor_disposition to honor Content-Disposition headers
  + $search_context specifies number of context lines for search results
    in pager/page-based menus
  ! ssl_use_sslv2 defaults to no
  + uncolor works for header + body objects, too
  + the "flagged" and "replied" flags are enabled/supported for
    POP when built with header caching
  ! browser correctly displays maildir's mtime
  + <set-flag> and <clear-flag> work in the pager, too
  + ~x pattern also matches against In-Reply-To
  + lower case patterns for string searches perform case-insensitive
    search as regex patterns do (except IMAP)
  + $ssl_verify_dates controls whether mutt checks the validity period of
    SSL certificates
  + $ssl_verify_hostname controls whether mutt will accept certificates whose
    host names do not match the host name in the folder URL.
- Removed dependency on perl(timelocal.pl) (closes: #7061)
Comment 4 Vladimir Lettiev 2009-06-24 10:30:17 MSD