Mutt 1.5.19, when linked against (1) OpenSSL (mutt_ssl.c) or (2) GnuTLS (mutt_ssl_gnutls.c), allows connections when only one TLS certificate in the chain is accepted instead of verifying the entire chain, which allows remote attackers to spoof trusted servers via a man-in-the-middle attack. Fixed in hg: http://dev.mutt.org/hg/mutt/rev/8f11dd00c770 http://dev.mutt.org/hg/mutt/rev/64bf199c8d8a
Released 1.5.20: http://marc.info/?l=mutt-announce&m=124500824219953&w=2
Да, я в курсе. Занимаюсь притиранием шестидесяти левых патчей.
mutt1.5-3:1.5.20-alt1 -> sisyphus: * Sun Jun 21 2009 Alexey I. Froloff <raorn@altlinux> 3:1.5.20-alt1 - [1.5.20] (closes: #20476) ! $fcc_attach is a quadoption now + $honor_disposition to honor Content-Disposition headers + $search_context specifies number of context lines for search results in pager/page-based menus ! ssl_use_sslv2 defaults to no + uncolor works for header + body objects, too + the "flagged" and "replied" flags are enabled/supported for POP when built with header caching ! browser correctly displays maildir's mtime + <set-flag> and <clear-flag> work in the pager, too + ~x pattern also matches against In-Reply-To + lower case patterns for string searches perform case-insensitive search as regex patterns do (except IMAP) + $ssl_verify_dates controls whether mutt checks the validity period of SSL certificates + $ssl_verify_hostname controls whether mutt will accept certificates whose host names do not match the host name in the folder URL. - Removed dependency on perl(timelocal.pl) (closes: #7061)
closed
