CVE-2009-3766

2009-10-2319:30:00

Debian Security Bug Tracker

security-tracker.debian.org

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

EPSS

0.001

Percentile

36.2%

JSON

mutt_ssl.c in mutt 1.5.16 and other versions before 1.5.19, when OpenSSL is used, does not verify the domain name in the subject’s Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

OSVersionArchitecturePackageVersionFilename
Debian12allmutt< 2.2.12-0.1~deb12u1mutt_2.2.12-0.1~deb12u1_all.deb
Debian11allmutt< 2.0.5-4.1+deb11u3mutt_2.0.5-4.1+deb11u3_all.deb
Debian999allmutt< 2.2.13-1mutt_2.2.13-1_all.deb
Debian13allmutt< 2.2.13-1mutt_2.2.13-1_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	mutt	< 2.2.12-0.1~deb12u1	mutt_2.2.12-0.1~deb12u1_all.deb
Debian	11	all	mutt	< 2.0.5-4.1+deb11u3	mutt_2.0.5-4.1+deb11u3_all.deb
Debian	999	all	mutt	< 2.2.13-1	mutt_2.2.13-1_all.deb
Debian	13	all	mutt	< 2.2.13-1	mutt_2.2.13-1_all.deb