Your message dated Fri, 12 Dec 2014 13:49:11 +0000 with message-id <e1xzqal-0006un...@franck.debian.org> and subject line Bug#766670: fixed in getmail4 4.46.0-1~deb6u1 has caused the Debian Bug report #766670, regarding getmail4: unpatched security issues (MITM) in stable to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 766670: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=766670 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: getmail4 Version: 4.2.0-1 Severity: grave Tags: security Justification: user security hole Getmail before 4.46.0 is vulnerable to MITM attacks: The IMAP-over-SSL implementation in getmail 4.0.0 through 4.43.0 does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof IMAP servers and obtain sensitive information via a crafted certificate. (CVE-2014-7273) The IMAP-over-SSL implementation in getmail 4.44.0 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) field of the X.509 certificate, which allows man-in-the-middle attackers to spoof IMAP servers and obtain sensitive information via a crafted certificate from a recognized Certification Authority. (CVE-2014-7274) The POP3-over-SSL implementation in getmail 4.0.0 through 4.44.0 does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof POP3 servers and obtain sensitive information via a crafted certificate. (CVE-2014-7275) These issues have been fixed in Debian sid and Debian jessie since the end of April/2014, with the getmail4 4.46.0-1 upload. -- "One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie." -- The Silicon Valley Tarot Henrique Holschuh
--- End Message ---
--- Begin Message ---Source: getmail4 Source-Version: 4.46.0-1~deb6u1 We believe that the bug you reported is fixed in the latest version of getmail4, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 766...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Osamu Aoki <os...@debian.org> (supplier of updated getmail4 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Mon, 08 Dec 2014 23:39:45 +0900 Source: getmail4 Binary: getmail4 Architecture: source all Version: 4.46.0-1~deb6u1 Distribution: squeeze-lts Urgency: high Maintainer: Osamu Aoki <os...@debian.org> Changed-By: Osamu Aoki <os...@debian.org> Description: getmail4 - mail retriever with support for POP3, IMAP4 and SDPS Closes: 766670 Changes: getmail4 (4.46.0-1~deb6u1) squeeze-lts; urgency=high . * Address security issues (MITM: CVE-2014-7273, CVE-2014-7274, and CVE-2014-7275) with the newer upstream release. The upstream stated: The changes in getmail to allow it to perform server SSL certificate validation and various other advanced SSL options: would you call those a new feature? Because it clearly is. But on the other hand, some people consider the previous behaviour a bug, so perhaps its a bugfix. But others say it closes a security hole, so it's a security fix. I see no way to make a clear-cut distinction between any of those three possibilities. I don't think you need to drop *anything*. getmail hasn't had much in the way of new features in many years, and I try to maintain compatibility as much as is practical. Just update to the latest version. ... specifically in regards to getmail in its "mature" state, where pretty much the only changes going in are bugfixes and minor feature enhancements, which are difficult to distinguish between. ... I hope Debian can simply accept the newer version of getmail; as I said, I try very hard to keep it compatible when things like the additional SSL certificate options were added, and getmail v.4 by itself is more than ten years old at this point, long into its quiescent "adult" period as far as software goes ;) Closes: #766670 Checksums-Sha1: 5e73d0ec6b2d02c99c2fa4737ae9eac1955d0c68 1835 getmail4_4.46.0-1~deb6u1.dsc 09f452555c7c65bfc00a52ac9fa33014108b3365 8209 getmail4_4.46.0-1~deb6u1.debian.tar.gz d10db85bd170dae12ae12b0d0478fbbcdd25a6d6 198584 getmail4_4.46.0-1~deb6u1_all.deb Checksums-Sha256: 31c7eb417ed5b9d2a8d41b0e674ccd65d1a783c6bd1452e6e89c2210e5caba47 1835 getmail4_4.46.0-1~deb6u1.dsc 910f00d9968c0b4c3fb07fede6a2c9eabeccc379409db0a88099882fd71c4f45 8209 getmail4_4.46.0-1~deb6u1.debian.tar.gz 53cacf019596a53cc9d16e70b02cde1f44cd6b2297d3b7bcd18978e2b3bdd86d 198584 getmail4_4.46.0-1~deb6u1_all.deb Files: 2c74dc42a73bc135c68962b57212f875 1835 mail optional getmail4_4.46.0-1~deb6u1.dsc b193e18c5b04927a51d023d6773b2166 8209 mail optional getmail4_4.46.0-1~deb6u1.debian.tar.gz 6682805369ad7339c090be346bad4240 198584 mail optional getmail4_4.46.0-1~deb6u1_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJUhu+vAAoJEB4TVogd2NeRNR4P/iooLVoP8RuI6kYaBWJ0Onl/ P9QTA/eYLBfhjqOoRBhsLVVHVu3Vhy86DOe/LMRuLpP5OwyjcljG/u7aCxkj5Bj/ OTo6dxs0mIjczkFst95M2I3USUBKWscLnP5IAf8hGhQoCCECHPvBCjA2bpEYBzXI 8NA9l/zAkrjwMrfwtZqPzLXRCC2w6kHzOrjtvvIes1UTpWynYFw9B0l5iiNuZeWf HOgN28FfoLKyw4tGruoUinZCKow6qSZTFga9LMkLjmRLjW+/1t/dUNMOOzCHy8Ao PGzfj4u5+24TGUiWK2K5irYYMqLzrzGxYQaj7ENE/RR6ITTg4fZNke8U/CKx1dyd CuYofFs34OOa587rS43GH4PN3ydrQc2LaM+OBCVF54KoWNK6EAmDWJbq0CH6qUdQ UMA8Ur22gLfU5ADxYwr0tHJJnl0vm86TkapHg4QN4YCCMUfsou04Ix3GXFxEf6WA Cjaog8KdkVls+0kFlcMfbPAsuFVdptJtR91sZFuzKrd50Bj4ApugYroabi6+9qZQ PcuSP+u1KKNvM9q7430uiRfTJhTtZS5fm4dMRRgK/7gas9yNIpd+RV+ZMVK+jg1k 4s8p+lOewl3trkwB6dJnwxcC9dgbsJVoIJt4UoABbEdEr+AKdHsfFme4hmzHxUIk EnBjLFliJlI3seO+sMHG =4GA0 -----END PGP SIGNATURE-----
--- End Message ---
