Main Vulnerability Database SB2014100807

SB2014100807 - Cryptographic issues in pyropus.ca getmail

Published: October 8, 2014 Updated: August 10, 2020

Security Bulletin ID SB2014100807

CSH Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) Cryptographic issues (CVE-ID: CVE-2014-7273)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

The IMAP-over-SSL implementation in getmail 4.0.0 through 4.43.0 does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof IMAP servers and obtain sensitive information via a crafted certificate.

Remediation

Install update from vendor's website.

References

http://lists.opensuse.org/opensuse-updates/2014-10/msg00029.html
http://openwall.com/lists/oss-security/2014/10/07/33
http://pyropus.ca/software/getmail/CHANGELOG
http://secunia.com/advisories/61229
http://www.debian.org/security/2014/dsa-3091