| Summary: | mutt new security issue CVE-2011-1429 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | |
| Severity: | normal | ||
| Priority: | Normal | CC: | davidwhodgins, derekjenn, jquelin, sysadmin-bugs, tmb |
| Version: | 1 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Source RPM: | mutt-1.5.21-3.2.mga1.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2012-04-02 18:07:29 CEST
David Walser
2012-04-02 18:08:03 CEST
Blocks:
(none) =>
5046
Remco Rijnders
2012-04-03 06:43:29 CEST
Assignee:
bugsquad =>
shikamaru
Remco Rijnders
2012-04-03 06:54:43 CEST
Assignee:
shikamaru =>
jquelin upstream bug: http://dev.mutt.org/trac/ticket/3506 patched on cauldron, freeze push requested. mutt-1.5.21-3.3.mga1 available in mga1 core/updates_testing ==> qa, please test & push to core/updates CC:
(none) =>
jquelin Advisory: ======================== Updated mutt packages fix security vulnerability: Mutt does not verify that the smtps server hostname matches the domain name of the subject of an X.509 certificate, which allows man-in-the-middle attackers to spoof an SSL SMTP server via an arbitrary certificate, a different vulnerability than CVE-2009-3766 (CVE-2011-1429). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1429 http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:048 ======================== Updated packages in core/updates_testing: ======================== mutt-1.5.21-3.3.mga1 mutt-doc-1.5.21-3.3.mga1 mutt-utf8-1.5.21-3.3.mga1 from mutt-1.5.21-3.3.mga1.src.rpm (In reply to comment #1) > upstream bug: http://dev.mutt.org/trac/ticket/3506 > > patched on cauldron, freeze push requested. Jerome, about Cauldron, Nicolas Vigier had this to say: "As the version didn't change and we are not yet in release freeze, you should be able to submit yourself." I haven't used mutt before. In all of the .mutrc examples I've seen, the user name is specified as set imap_user = "yourusername@gmail.com" In testing connections to my own cyrus-imapd server, I found I had to specify set imap_user =dave@hodgins.homeip.net without the quotes. Same with the imap_pass. According to the muttrc man page, the quoting should be allowed. I'll test with the prior version, to see if this is a regression or not. CC:
(none) =>
davidwhodgins Figured out the problem. The config I'd copied from a web site had the open/closeing double quotes instead of regular double qoutes. I've now successfully retrieved and sent email. Testing complete on i586 for the srpm mutt-1.5.21-3.3.mga1.src.rpm pushed in cauldron too.
David Walser
2012-04-04 13:00:51 CEST
Blocks:
5046 =>
(none) Ping. We still need x86-64 testing for this security update. Update validated on x86_64 Could sysadmin please push mutt-1.5.21-3.3.mga1.src.rpm from core/updates_testing to core/updates Advisory: ======================== Updated mutt packages fix security vulnerability: Mutt does not verify that the smtps server hostname matches the domain name of the subject of an X.509 certificate, which allows man-in-the-middle attackers to spoof an SSL SMTP server via an arbitrary certificate, a different vulnerability than CVE-2009-3766 (CVE-2011-1429). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1429 http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:048 ======================== Keywords:
(none) =>
validated_update Update pushed. Status:
NEW =>
RESOLVED |