Bug 11148 - ssmtp does not verify certificates when making a TLS connection
Summary: ssmtp does not verify certificates when making a TLS connection
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 3
Hardware: i586 Linux
: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/565574/
Whiteboard: MGA2TOO has_procedure mga3-64-ok mga3...
Keywords: validated_update
Depends on:
Reported: 2013-09-04 02:34 CEST by David Walser
Modified: 2013-10-10 00:50 CEST (History)
4 users (show)

See Also:
Source RPM: ssmtp-2.64-8.1.mga3.src.rpm
Status comment:


Description David Walser 2013-09-04 02:34:36 CEST
Fedora has issued an advisory on August 20:

They fixed the issue by adding this patch:

Mageia 2 and Mageia 3 are also affected.


Steps to Reproduce:
Comment 1 Johnny A. Solbu 2013-09-04 23:07:41 CEST
This bug seems to only affect Mageia 2.
Mageia 3 and Cauldron was already patched against this bug on Nov 1, 2012, by luigiwalser.
Comment 2 David Walser 2013-09-05 00:19:26 CEST
No, even if I added that patch before, there was a flaw in the patch, and the patch has been updated.
Comment 3 Johnny A. Solbu 2013-09-29 16:04:42 CEST
Cauldron package fixed and submitted.

I have uploaded updated packages for mageia 2 and 3.
I don't know what advisory to use, but apparently the existing patch was flawed, so feel free to suggest an advisory.

Updated mageia 2 packages in core/updates_testing:

Source RPM: 

Updated mageia 3 packages in core/updates_testing:

Source RPM: 
Comment 4 David Walser 2013-09-29 16:12:10 CEST
Thanks Johnny.

Here's another minor change you might want to sync in the Cauldron package:
Comment 5 David Walser 2013-09-29 16:17:03 CEST

Updated ssmtp packages fix security vulnerability:

It was reported that ssmtp, an extremely simple MTA to get mail off the system
to a mail hub, did not perform x509 certificate validation when initiating a
TLS connection to server. A rogue server could use this flaw to conduct man-in-
the-middle attack, possibly leading to user credentials leak.


Updated packages in core/updates_testing:

Source RPMs:
Comment 6 Johnny A. Solbu 2013-09-29 16:34:14 CEST
(In reply to David Walser from comment #4)
> Here's another minor change you might want to sync in the Cauldron package:

Nice. Added to Cauldron. :-)=
Comment 7 Dave Hodgins 2013-09-30 23:06:47 CEST
Advisory 11148.adv committed to svn
Comment 8 claire robinson 2013-10-03 16:35:03 CEST
Some testing info here: https://wiki.archlinux.org/index.php/SSMTP
Comment 9 claire robinson 2013-10-04 12:50:46 CEST
Testing mga3 64

I edited ssmtp.conf and used the settings from the one given in the link in comment 8, changing them to my gmail login. I didn't bother following that guide any further as our ssmtp.conf is setgid after the last update. 

Tested with a mail to myself.

After installing the update it fails so there is some regression here. 

Enabling Debug=YES in the conf shows this in the journal..

sSMTP[5461]: 220 mx.google.com ESMTP c4sm8709118wiz.0 - gsmtp
sSMTP[5461]: EHLO localhost
sSMTP[5461]: 250 CHUNKING
sSMTP[5461]: 220 2.0.0 Ready to start TLS
sSMTP[5461]: SSL not working: certificate verify failed (20)
sSMTP[5461]: Cannot open smtp.gmail.com:587
sSMTP[5461]: Can't open /home/claire/dead.letter failing horribly!

This is despite these two settings being commented..

# Use SSL/TLS certificate to authenticate against smtp host.

# Use this RSA certificate.
Comment 10 claire robinson 2013-10-04 12:56:24 CEST
It seems to need the patch in comment 4

Once the line below is added to ssmtp.conf it connects & sends Ok.

Comment 11 claire robinson 2013-10-04 13:00:34 CEST
If it's decided to add it, be careful to create an rpmnew and not overwrite the existing conf.
Comment 12 claire robinson 2013-10-04 13:02:13 CEST
it will also need to require/suggest rootcerts

$ urpmf /etc/pki/tls/certs/ca-bundle.crt
Comment 13 Johnny A. Solbu 2013-10-04 13:35:11 CEST
(In reply to claire robinson from comment #10)
> It seems to need the patch in comment 4
> Once the line below is added to ssmtp.conf it connects & sends Ok.
> TLS_CA_File=/etc/pki/tls/certs/ca-bundle.crt

So I should add the patch to both mga2 and 3, right?
Comment 14 claire robinson 2013-10-04 13:47:26 CEST
Ideally, I think so, see what David thinks.
Comment 15 Johnny A. Solbu 2013-10-04 14:01:44 CEST
Submited a new release in testing now.

Updated packages in core/updates_testing:

Source RPMs:
Comment 16 claire robinson 2013-10-07 08:58:07 CEST
Testing complete mga3 64

installing ssmtp-2.64-8.3.mga3.x86_64.rpm from /var/cache/urpmi/rpms                                                                        
Preparing...                     #########################################
      1/1: ssmtp                 warning: /etc/ssmtp/ssmtp.conf created as /etc/ssmtp/ssmtp.conf.rpmnew

Confirmed the rpmnew contains the ca-bundle.crt line

#IMPORTANT: Uncomment the following line if you use TLS authentication

Tested with..

$ echo test | mail -v -s "testing ssmtp setup" username@somedomain.com
Comment 17 claire robinson 2013-10-07 09:26:28 CEST
Updating with MageiaUpdate gives no warning of the rpmnew, it should give a notice and diff comparison. Without any notice given, this will silently break people's configurations.

I think something is still missing here Johnny, probably mga3 aswell.
Comment 18 claire robinson 2013-10-07 09:27:39 CEST
Sorry, testing mga2 64 in comment 17
Comment 19 David Walser 2013-10-07 16:51:28 CEST
From the spec in Mageia 2:
%attr(2750, root, mail) %config(noreplace) %{_sysconfdir}/ssmtp/*

So he's properly got the config marked as config(noreplace).  If MageiaUpdate isn't doing the right thing, that's MageiaUpdate's fault.  There's nothing else that can be done in this package about that.
Comment 20 claire robinson 2013-10-08 12:46:18 CEST
Validating this one then. I checked mga3 again and it does offer the diff there but not mga2, so must just be a peculiarity of mga2, or maybe just my mga2.

Advisory updated. I removed the CVE stanza as it seems it is deemed as hardening rather than being vulnerable and so is not being allocated one.

Could sysadmin please push from 2&3 core/updates_testing to updates

Comment 21 Thomas Backlund 2013-10-10 00:50:18 CEST
Update pushed:

Note You need to log in before you can comment on or make changes to this bug.