Your message dated Mon, 08 Dec 2014 15:32:15 +0000 with message-id <e1xy0ij-00065v...@franck.debian.org> and subject line Bug#766670: fixed in getmail4 4.46.0-1~deb7u1 has caused the Debian Bug report #766670, regarding getmail4: unpatched security issues (MITM) in stable to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 766670: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=766670 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: getmail4 Version: 4.2.0-1 Severity: grave Tags: security Justification: user security hole Getmail before 4.46.0 is vulnerable to MITM attacks: The IMAP-over-SSL implementation in getmail 4.0.0 through 4.43.0 does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof IMAP servers and obtain sensitive information via a crafted certificate. (CVE-2014-7273) The IMAP-over-SSL implementation in getmail 4.44.0 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) field of the X.509 certificate, which allows man-in-the-middle attackers to spoof IMAP servers and obtain sensitive information via a crafted certificate from a recognized Certification Authority. (CVE-2014-7274) The POP3-over-SSL implementation in getmail 4.0.0 through 4.44.0 does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof POP3 servers and obtain sensitive information via a crafted certificate. (CVE-2014-7275) These issues have been fixed in Debian sid and Debian jessie since the end of April/2014, with the getmail4 4.46.0-1 upload. -- "One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie." -- The Silicon Valley Tarot Henrique Holschuh
--- End Message ---
--- Begin Message ---Source: getmail4 Source-Version: 4.46.0-1~deb7u1 We believe that the bug you reported is fixed in the latest version of getmail4, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 766...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Osamu Aoki <os...@debian.org> (supplier of updated getmail4 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Tue, 25 Nov 2014 22:21:12 +0900 Source: getmail4 Binary: getmail4 Architecture: source all Version: 4.46.0-1~deb7u1 Distribution: wheezy-security Urgency: high Maintainer: Osamu Aoki <os...@debian.org> Changed-By: Osamu Aoki <os...@debian.org> Description: getmail4 - mail retriever with support for POP3, IMAP4 and SDPS Closes: 766670 Changes: getmail4 (4.46.0-1~deb7u1) wheezy-security; urgency=high . * Address security issues (MITM: CVE-2014-7273, CVE-2014-7274, and CVE-2014-7275) with the newer upstream release. The upstream stated: The changes in getmail to allow it to perform server SSL certificate validation and various other advanced SSL options: would you call those a new feature? Because it clearly is. But on the other hand, some people consider the previous behaviour a bug, so perhaps its a bugfix. But others say it closes a security hole, so it's a security fix. I see no way to make a clear-cut distinction between any of those three possibilities. I don't think you need to drop *anything*. getmail hasn't had much in the way of new features in many years, and I try to maintain compatibility as much as is practical. Just update to the latest version. ... specifically in regards to getmail in its "mature" state, where pretty much the only changes going in are bugfixes and minor feature enhancements, which are difficult to distinguish between. ... I hope Debian can simply accept the newer version of getmail; as I said, I try very hard to keep it compatible when things like the additional SSL certificate options were added, and getmail v.4 by itself is more than ten years old at this point, long into its quiescent "adult" period as far as software goes ;) Closes: #766670 Checksums-Sha1: 1eaeba5b420eac564aada3dff3bd9c3c2503ada1 1878 getmail4_4.46.0-1~deb7u1.dsc 0e20fcfed6c422e5135304c3728c11c7cee7081a 189522 getmail4_4.46.0.orig.tar.gz 8f2a1d1df0f2da5dac209b1d9afd9ec8ced85cf3 8241 getmail4_4.46.0-1~deb7u1.debian.tar.gz 2df01d9de856f89c2436986bfa7eef11b746e5ef 198528 getmail4_4.46.0-1~deb7u1_all.deb Checksums-Sha256: f354ed9e318805379e596e32e5fbb7c332d35971a397e2e71453adf49b7383ee 1878 getmail4_4.46.0-1~deb7u1.dsc f423269290e8afc0071cabeae88d3f1adfd9dc351041ac14a2d4e05b44ad3897 189522 getmail4_4.46.0.orig.tar.gz 2e1a75ead21ab01295222b1bec3156a6f61e5d28c9c615649294bbb9ad32aba1 8241 getmail4_4.46.0-1~deb7u1.debian.tar.gz 4abdc544bdfaa4702582a07833fb389945afbe57f55b15415e7233a208a3e698 198528 getmail4_4.46.0-1~deb7u1_all.deb Files: 7cf79b25c28be7ee41bcb32df3aec5fc 1878 mail optional getmail4_4.46.0-1~deb7u1.dsc aa094ebe558f47246c8af2ca8e1d12f9 189522 mail optional getmail4_4.46.0.orig.tar.gz e666457e81731c4c2e9d089f85f82f32 8241 mail optional getmail4_4.46.0-1~deb7u1.debian.tar.gz 133afb9cd775bdd710675be088b413cf 198528 mail optional getmail4_4.46.0-1~deb7u1_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJUgom6AAoJEB4TVogd2NeR3M0P/1r+H0c6ycwEq2l6BKFY+/Le kYgCCmA8g6qbf13/K0Wfcz7UWQHeX8s3AaUXERg1TNgJLlidtBLcZfAj+jmeAm4x kZad6K5l8tatzXg/4tKUvT4mVJBYLh5LOXKfUZcTb1AM2uIXV9YcEwiTzcJ7pNtJ VvJ1AQaIftYu/ObCGm1jgkeGixsJQcHdLFDo6tvYhnbkxwcSbwSK1vryaYK7lfRx hAZemiNGnqVQBUjmJRCIROb+D3spiB0VzGA7hglHSNEuBvtV0dSluFv3Kukw9sGX GuZYfC4c78DMLQFgouLIx4jE+0cx6opn4Snwt1g+paZxDhxh85doGzuukyPvQRNt h1nW8VlDyDsI17PMrO6YSGjubfl6He9ck+ma1jfuCtmGy5typFKPwXqyfmc/eAN7 ei15SFAkUlHvBs8E9YdpohHOvU2NyfnXDwdPNbvZCf+xQR2PNH1Cb3iBqK//1Exc JIlJ5vIYpzmdfIra5nbtdiDgTE/KaydEJBpiAw7VhKmi7nFW7ODPKQnVqXETwyAw MxsfKs+PSY7lkPkmUYcH8uG2+dshZGQRfcdq8mgoc9SWw6sTATU6KvyR1mcWZs0R kZsgiuMC6wdUMICxuUbov/jIVySGy7ccVvekAwYT2LAslP9YRV4594ugT2+aobUX rm5IfUGWD1haQ5CpOmk0 =rgy7 -----END PGP SIGNATURE-----
--- End Message ---
