Bug 11148 - ssmtp does not verify certificates when making a TLS connection
Summary: ssmtp does not verify certificates when making a TLS connection
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 3
Hardware: i586 Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/565574/
Whiteboard: MGA2TOO has_procedure mga3-64-ok mga3...
Keywords: validated_update
Depends on:
Reported: 2013-09-04 02:34 CEST by David Walser
Modified: 2013-10-10 00:50 CEST (History)
4 users (show)

See Also:
Source RPM: ssmtp-2.64-8.1.mga3.src.rpm
Status comment:


Description David Walser 2013-09-04 02:34:36 CEST
Fedora has issued an advisory on August 20:

They fixed the issue by adding this patch:

Mageia 2 and Mageia 3 are also affected.


Steps to Reproduce:
David Walser 2013-09-04 02:34:44 CEST

Whiteboard: (none) => MGA3TOO, MGA2TOO

Johnny A. Solbu 2013-09-04 22:30:02 CEST


Comment 1 Johnny A. Solbu 2013-09-04 23:07:41 CEST
This bug seems to only affect Mageia 2.
Mageia 3 and Cauldron was already patched against this bug on Nov 1, 2012, by luigiwalser.
Comment 2 David Walser 2013-09-05 00:19:26 CEST
No, even if I added that patch before, there was a flaw in the patch, and the patch has been updated.
Comment 3 Johnny A. Solbu 2013-09-29 16:04:42 CEST
Cauldron package fixed and submitted.

I have uploaded updated packages for mageia 2 and 3.
I don't know what advisory to use, but apparently the existing patch was flawed, so feel free to suggest an advisory.

Updated mageia 2 packages in core/updates_testing:

Source RPM: 

Updated mageia 3 packages in core/updates_testing:

Source RPM: 

CC: (none) => cooker
Assignee: cooker => qa-bugs

Comment 4 David Walser 2013-09-29 16:12:10 CEST
Thanks Johnny.

Here's another minor change you might want to sync in the Cauldron package:

Version: Cauldron => 3
Whiteboard: MGA3TOO, MGA2TOO => MGA2TOO

Comment 5 David Walser 2013-09-29 16:17:03 CEST

Updated ssmtp packages fix security vulnerability:

It was reported that ssmtp, an extremely simple MTA to get mail off the system
to a mail hub, did not perform x509 certificate validation when initiating a
TLS connection to server. A rogue server could use this flaw to conduct man-in-
the-middle attack, possibly leading to user credentials leak.


Updated packages in core/updates_testing:

Source RPMs:
Comment 6 Johnny A. Solbu 2013-09-29 16:34:14 CEST
(In reply to David Walser from comment #4)
> Here's another minor change you might want to sync in the Cauldron package:

Nice. Added to Cauldron. :-)=
Comment 7 Dave Hodgins 2013-09-30 23:06:47 CEST
Advisory 11148.adv committed to svn

CC: (none) => davidwhodgins

Comment 8 claire robinson 2013-10-03 16:35:03 CEST
Some testing info here: https://wiki.archlinux.org/index.php/SSMTP
claire robinson 2013-10-03 16:35:18 CEST

Whiteboard: MGA2TOO => MGA2TOO has_procedure

Comment 9 claire robinson 2013-10-04 12:50:46 CEST
Testing mga3 64

I edited ssmtp.conf and used the settings from the one given in the link in comment 8, changing them to my gmail login. I didn't bother following that guide any further as our ssmtp.conf is setgid after the last update. 

Tested with a mail to myself.

After installing the update it fails so there is some regression here. 

Enabling Debug=YES in the conf shows this in the journal..

sSMTP[5461]: 220 mx.google.com ESMTP c4sm8709118wiz.0 - gsmtp
sSMTP[5461]: EHLO localhost
sSMTP[5461]: 250 CHUNKING
sSMTP[5461]: 220 2.0.0 Ready to start TLS
sSMTP[5461]: SSL not working: certificate verify failed (20)
sSMTP[5461]: Cannot open smtp.gmail.com:587
sSMTP[5461]: Can't open /home/claire/dead.letter failing horribly!

This is despite these two settings being commented..

# Use SSL/TLS certificate to authenticate against smtp host.

# Use this RSA certificate.

Whiteboard: MGA2TOO has_procedure => MGA2TOO has_procedure feedback

Comment 10 claire robinson 2013-10-04 12:56:24 CEST
It seems to need the patch in comment 4

Once the line below is added to ssmtp.conf it connects & sends Ok.

Comment 11 claire robinson 2013-10-04 13:00:34 CEST
If it's decided to add it, be careful to create an rpmnew and not overwrite the existing conf.
Comment 12 claire robinson 2013-10-04 13:02:13 CEST
it will also need to require/suggest rootcerts

$ urpmf /etc/pki/tls/certs/ca-bundle.crt
Comment 13 Johnny A. Solbu 2013-10-04 13:35:11 CEST
(In reply to claire robinson from comment #10)
> It seems to need the patch in comment 4
> Once the line below is added to ssmtp.conf it connects & sends Ok.
> TLS_CA_File=/etc/pki/tls/certs/ca-bundle.crt

So I should add the patch to both mga2 and 3, right?
Comment 14 claire robinson 2013-10-04 13:47:26 CEST
Ideally, I think so, see what David thinks.
Comment 15 Johnny A. Solbu 2013-10-04 14:01:44 CEST
Submited a new release in testing now.

Updated packages in core/updates_testing:

Source RPMs:
claire robinson 2013-10-04 14:03:01 CEST

Whiteboard: MGA2TOO has_procedure feedback => MGA2TOO has_procedure

Comment 16 claire robinson 2013-10-07 08:58:07 CEST
Testing complete mga3 64

installing ssmtp-2.64-8.3.mga3.x86_64.rpm from /var/cache/urpmi/rpms                                                                        
Preparing...                     #########################################
      1/1: ssmtp                 warning: /etc/ssmtp/ssmtp.conf created as /etc/ssmtp/ssmtp.conf.rpmnew

Confirmed the rpmnew contains the ca-bundle.crt line

#IMPORTANT: Uncomment the following line if you use TLS authentication

Tested with..

$ echo test | mail -v -s "testing ssmtp setup" username@somedomain.com

Whiteboard: MGA2TOO has_procedure => MGA2TOO has_procedure mga3-64-ok

Comment 17 claire robinson 2013-10-07 09:26:28 CEST
Updating with MageiaUpdate gives no warning of the rpmnew, it should give a notice and diff comparison. Without any notice given, this will silently break people's configurations.

I think something is still missing here Johnny, probably mga3 aswell.
claire robinson 2013-10-07 09:26:51 CEST

Whiteboard: MGA2TOO has_procedure mga3-64-ok => MGA2TOO has_procedure mga3-64-ok? feedback

Comment 18 claire robinson 2013-10-07 09:27:39 CEST
Sorry, testing mga2 64 in comment 17
Comment 19 David Walser 2013-10-07 16:51:28 CEST
From the spec in Mageia 2:
%attr(2750, root, mail) %config(noreplace) %{_sysconfdir}/ssmtp/*

So he's properly got the config marked as config(noreplace).  If MageiaUpdate isn't doing the right thing, that's MageiaUpdate's fault.  There's nothing else that can be done in this package about that.

Whiteboard: MGA2TOO has_procedure mga3-64-ok? feedback => MGA2TOO has_procedure mga3-64-ok

Comment 20 claire robinson 2013-10-08 12:46:18 CEST
Validating this one then. I checked mga3 again and it does offer the diff there but not mga2, so must just be a peculiarity of mga2, or maybe just my mga2.

Advisory updated. I removed the CVE stanza as it seems it is deemed as hardening rather than being vulnerable and so is not being allocated one.

Could sysadmin please push from 2&3 core/updates_testing to updates


Keywords: (none) => validated_update
Whiteboard: MGA2TOO has_procedure mga3-64-ok => MGA2TOO has_procedure mga3-64-ok mga3-32-ok mga2-64-ok mga2-32-ok
CC: (none) => sysadmin-bugs

Comment 21 Thomas Backlund 2013-10-10 00:50:18 CEST
Update pushed:

CC: (none) => tmb
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.