Bug 20476

Summary: CVE-2009-1390 Mutt X.509 Certificate Chain Security Bypass Vulnerability
Product: Sisyphus Reporter: Vladimir Lettiev <crux>
Component: mutt1.5Assignee: Nobody's working on this, feel free to take it <nobody>
Status: CLOSED FIXED QA Contact: qa-sisyphus
Severity: critical    
Priority: P3 Keywords: security
Version: unstable   
Hardware: all   
OS: Linux   
URL: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1390

Description Vladimir Lettiev 2009-06-17 12:17:07 MSD 
Mutt 1.5.19, when linked against (1) OpenSSL (mutt_ssl.c) or (2) GnuTLS (mutt_ssl_gnutls.c), allows connections when only one TLS certificate in the chain is accepted instead of verifying the entire chain, which allows remote attackers to spoof trusted servers via a man-in-the-middle attack.

Fixed in hg:
http://dev.mutt.org/hg/mutt/rev/8f11dd00c770
http://dev.mutt.org/hg/mutt/rev/64bf199c8d8a
Comment 1 Vladimir Lettiev 2009-06-19 09:13:20 MSD 
Released 1.5.20: http://marc.info/?l=mutt-announce&m=124500824219953&w=2
Comment 2 Sir Raorn 2009-06-19 15:00:18 MSD 
Да, я в курсе.  Занимаюсь притиранием шестидесяти левых патчей.
Comment 3 Repository Robot 2009-06-21 20:40:16 MSD 
mutt1.5-3:1.5.20-alt1 -> sisyphus:

* Sun Jun 21 2009 Alexey I. Froloff <raorn@altlinux> 3:1.5.20-alt1

- [1.5.20] (closes: #20476)
  ! $fcc_attach is a quadoption now
  + $honor_disposition to honor Content-Disposition headers
  + $search_context specifies number of context lines for search results
    in pager/page-based menus
  ! ssl_use_sslv2 defaults to no
  + uncolor works for header + body objects, too
  + the "flagged" and "replied" flags are enabled/supported for
    POP when built with header caching
  ! browser correctly displays maildir's mtime
  + <set-flag> and <clear-flag> work in the pager, too
  + ~x pattern also matches against In-Reply-To
  + lower case patterns for string searches perform case-insensitive
    search as regex patterns do (except IMAP)
  + $ssl_verify_dates controls whether mutt checks the validity period of
    SSL certificates
  + $ssl_verify_hostname controls whether mutt will accept certificates whose
    host names do not match the host name in the folder URL.
- Removed dependency on perl(timelocal.pl) (closes: #7061)
Comment 4 Vladimir Lettiev 2009-06-24 10:30:17 MSD 
closed