On Sun, Nov 14, 2010 at 07:55:23PM +1100, david b wrote: > Package: offlineimap > Severity: grave > Tags: security > Justification: user security hole > > offlineimap performs absolutely no ssl certificate checking. So users > could/can be the victim of a man in the middle attack. > In debian the following bugs exist: > > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=536421 (re certificate > expiration) > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=153240 (re ssl fingerprint > checking) > > This could be considered a bug in imaplib (http://bugs.python.org/issue10274). > A partial 'fix' is the following(this 'fix' isn't complete and would break > connections to servers using self-signed certificates):
FWIW, this is a limitation documented on the homepage since 2007: https://github.com/jgoerzen/offlineimap/wiki Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
