CVEs have been assigned for several issues with SSL certificate validation in getmail: http://openwall.com/lists/oss-security/2014/10/07/33 All of the issues are fixed in 4.46.0 (already in Cauldron). Mageia 3 is also affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA3TOO
OpenSuSE has issued an advisory for this today (October 22): http://lists.opensuse.org/opensuse-updates/2014-10/msg00029.html
URL: (none) => http://lwn.net/Vulnerabilities/617643/
Updated packages are available for testing. Please validate: getmail-4.46.0-1.mga3 and getmail-4.46.0-1.mga3 for Mageia 3 and 4 respectively. Working getmail installations should continue to work. I think the only validation needed is to confirm the package still works. As there is no QA procedure for this package yet, please refer to http://pyropus.ca/software/getmail/configuration.html for information on using and configuring getmail. If you have a POP or IMAP mail account (with no important mails in it!) this will help to test and validate this update.
Assignee: remco => qa-bugs
getmail-4.46.0-1.mga3 and *getmail-4.46.0-1.mga4* for Mageia 3 and 4 respectively.
CC: (none) => remco
Thanks Remmy! Advisory: ======================== Updated getmail package fixes security vulnerabilities: The IMAP-over-SSL implementation in getmail 4.0.0 through 4.43.0 does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof IMAP servers and obtain sensitive information via a crafted certificate (CVE-2014-7273). The IMAP-over-SSL implementation in getmail 4.44.0 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) field of the X.509 certificate, which allows man-in-the-middle attackers to spoof IMAP servers and obtain sensitive information via a crafted certificate from a recognized Certification Authority (CVE-2014-7274). The POP3-over-SSL implementation in getmail 4.0.0 through 4.44.0 does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof POP3 servers and obtain sensitive information via a crafted certificate (CVE-2014-7275). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7273 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7274 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7275 http://lists.opensuse.org/opensuse-updates/2014-10/msg00029.html
Testing on Mageia4-64 In order to test package, I used a gmail account (IMAP with SSL) Current package : --------------- Installed : - getmail-4.41.0-3.mga4.noarch Made a folder for getmail configuration files $ mkdir -m 0700 $HOME/.getmail created directories needed to retrieve my mails $ mkdir /home/zitounu/Gmail $ mkdir /home/zitounu/Gmail/cur $ mkdir /home/zitounu/Gmail/new $ mkdir /home/zitounu/Gmail/tmp configured getmail for my gmail account : $ kate /home/zitounu/.getmail/gmail [retriever] type = SimpleIMAPSSLRetriever server = imap.googlemail.com port = 993 username = mygmailusername password = mygmailpassword [destination] type = Maildir path = ~/Gmail/ [options] received = false delivered_to = false read_all = false verbose = 2 message_log = ~/.getmail/gmail.log message_log_verbose = true Retrieved emails using getmail : $ getmail -r gmail and retrieved 15 messages before aborting (ctrl-D) Found the 15 messages in /home/zitounu/Gmail/new Installed update-testing package : -------------------------------- - getmail-4.46.0-1.mga4.noarch Didn't change any settings. $ getmail -r gmail Retrieved 7 more emails before aborting Found the 7 subsequent emails in /home/zitounu/Gmail/new Could read them, read attachments, etc. Logs were written in .getmail/gmail.log in my user directory. No problem for me
CC: (none) => olchalWhiteboard: MGA3TOO => MGA3TOO MGA4-64-OK
Testing on Mageia3-64 Using same procedure as in comment 5. Current package : getmail-4.36.0-2.mga3 Update-testing package : getmail-4.46.0-1.mga3 Everything OK.
Whiteboard: MGA3TOO MGA4-64-OK => MGA3TOO MGA4-64-OK MGA3-64-OK
Advisory uploaded.
CC: (none) => remiWhiteboard: MGA3TOO MGA4-64-OK MGA3-64-OK => MGA3TOO has_procedure MGA4-64-OK MGA3-64-OK advisory
@QA: What's keeping this update from being released? (Do we need to assign it to sysadm or something?) Thanks!
@Remmy: Mostly the fact that it hasn't been tested on 32bit. But we agreed previously that one arch per release could be enough, and since the QA todo list is quite long, let's validate this one.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0450.html
Status: NEW => RESOLVEDResolution: (none) => FIXED