Lucene search
Ubuntu.comUB:CVE-2011-1429HistoryMar 16, 2011 - 12:00 a.m.
CVE-2011-1429
2011-03-1600:00:00
ubuntu.com
ubuntu.com
8
CVSS2
6.8
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
EPSS
0.003
Percentile
66.2%
Mutt does not verify that the smtps server hostname matches the domain name
of the subject of an X.509 certificate, which allows man-in-the-middle
attackers to spoof an SSL SMTP server via an arbitrary certificate, a
different vulnerability than CVE-2009-3766.
Bugs
- <http://dev.mutt.org/trac/ticket/3506>
- <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=619216>
- <https://bugzilla.redhat.com/show_bug.cgi?id=688755>
Notes
| Author | Note |
|---|---|
| mdeslaur | debian may have used an incomplete patch from the upstream bug. |
| tyhicks | This is not specific to SMTPS. It is in the common code that uses GnuTLS, meaning that the IMAPS and POP3S protocols are also affected. Debian is carrying a fix that upstream has not applied. It doesn’t look like this issue is fixed upstream. RHEL is also carrying the same fix. The fix may be the cause of a mutt sidebar related bug (a feature patch that debian and ubuntu carry) After more investigation, the sidebar related bug was preexisting. Hardy’s version of mutt has a considerably different mutt_ssl_gnutls.c and my testing has shown that it is not affected. |
Related
openvas
openvas
Mandriva Update for mutt MDVSA-2012:048 (mutt)
2012-08-03 00:00:00
FreeBSD Ports: mutt-devel
2012-04-30 00:00:00
Mandriva Update for mutt MDVSA-2012:048 (mutt)
2012-08-03 00:00:00
nessus
nessus
Mandriva Linux Security Advisory : mutt (MDVSA-2012:048)
2012-04-03 00:00:00
Fedora 14 : mutt-1.5.21-5.fc14 (2011-7751)
2011-06-12 00:00:00
cvelist
cvelist
CVE-2011-1429
2011-03-16 22:00:00
CVE-2009-3766
2009-10-23 19:00:00
prion
prion
Design/Logic Flaw
2011-03-16 22:55:00
Design/Logic Flaw
2009-10-23 19:30:00
debiancve
debiancve
CVE-2011-1429
2011-03-16 22:55:04
CVE-2009-3766
2009-10-23 19:30:00
cve
cve
CVE-2011-1429
2011-03-16 22:55:04
CVE-2009-3766
2009-10-23 19:30:00
nvd
nvd
CVE-2011-1429
2011-03-16 22:55:04
CVE-2009-3766
2009-10-23 19:30:00
ubuntucve
ubuntucve
CVE-2009-3766
2009-10-23 00:00:00
fedora
fedora
[SECURITY] Fedora 14 Update: mutt-1.5.21-5.fc14
2011-06-11 04:19:42
[SECURITY] Fedora 13 Update: mutt-1.5.21-5.fc13
2011-06-15 05:40:17
[SECURITY] Fedora 15 Update: mutt-1.5.21-5.fc15
2011-06-11 04:18:43
securityvulns
securityvulns
[USN-1221-1] Mutt vulnerability
2011-10-01 00:00:00
mutt SSL certificate validation vulnerability
2011-10-01 00:00:00
redhat
redhat
(RHSA-2011:0959) Moderate: mutt security update
2011-07-19 00:00:00
oraclelinux
oraclelinux
mutt security update
2011-07-19 00:00:00
freebsd
freebsd
mutt-devel -- failure to check SMTP TLS server certificate
2012-03-08 00:00:00
ubuntu
ubuntu
Mutt vulnerability
2011-09-29 00:00:00
cbl_mariner
cbl_mariner
CVE-2011-1429 affecting package mutt 2.2.12-1
2024-10-01 09:12:11
CVSS2
6.8
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
EPSS
0.003
Percentile
66.2%
Related for UB:CVE-2011-1429