Package: mew Version: 1:6.8-4 Severity: important Tags: security patch fixed-upstream Forwarded: https://github.com/kazu-yamamoto/Mew/pull/133 Control: found -1 1:6.7-4 Control: fixed -1 1:6.8-6
It was discovered that Mew, a mail reader in Emacs, performs insufficient validation of SSL/TLS certificates, which may lead to man-in-the-middle attacks. cf. https://github.com/kazu-yamamoto/Mew/pull/133 > Support checkHost for stunnel 5.15 #133 > > This patch will check the peer certificate subject when > mew-ssl-verify-level is non-zero with stunnel >=5.15 and > OpenSSL >=1.0.2. > > cf. https://www.stunnel.org/NEWS.html > > Version 5.21, 2015.07.27, urgency: MEDIUM > > More elaborate descriptions were added to the warning about > using "verify = 2" without "checkHost" or "checkIP". > > Version 5.15, 2015.04.16, urgency: LOW > > Added new service-level options "checkHost", "checkEmail" and > "checkIP" for additional checks of the peer certificate subject. > These options require OpenSSL version 1.0.2 or higher. Note that the checkHost option of stunnel can be enabled by the user configuration. e.g. (setq mew-ssl-cert-directory "/etc/ssl/certs\ncheckHost=.example.net") However, it should be automatically enabled. Patch attached. Thanks, -- Tatsuya Kinoshita
Subject: Enable checkHost for stunnel Origin: upstream, https://github.com/kazu-yamamoto/Mew/commit/8de0a1398f10d0e8da29ce91ec22af17430c0004 Bug: https://github.com/kazu-yamamoto/Mew/pull/133 --- a/mew-ssl.el +++ b/mew-ssl.el @@ -106,6 +106,8 @@ insert no extra text.") (insert "client=yes\n") (insert "pid=\n") (insert (format "verify=%d\n" (mew-ssl-verify-level case))) + (if (> (mew-ssl-verify-level case) 0) + (insert (format "checkHost=%s\n" server))) (insert "foreground=yes\n") (insert "debug=debug\n") (if (and mew-ssl-libwrap (or (>= mew-ssl-ver 5) (>= mew-ssl-minor-ver 45)))
pgp596ePJ4GBT.pgp
Description: PGP signature
