Headline
CVE-2016-10937: #939702 - imapfilter: CVE-2016-10937: does not validate hostname
IMAPFilter through 2.6.12 does not validate the hostname in an SSL certificate.
Debian Bug report logs - #939702
imapfilter: CVE-2016-10937: does not validate hostname
Toggle useless messages
Report forwarded to [email protected], [email protected], [email protected], Francesco Paolo Lovergine [email protected]:
Bug#939702; Package imapfilter. (Sat, 07 Sep 2019 21:48:04 GMT) (full text, mbox, link).
Acknowledgement sent to Quentin Hibon [email protected]:
New Bug report received and forwarded. Copy sent to [email protected], [email protected], Francesco Paolo Lovergine [email protected]. (Sat, 07 Sep 2019 21:48:04 GMT) (full text, mbox, link).
Message #5 received at [email protected] (full text, mbox, reply):
Package: imapfilter Version: 1:2.6.12-1 Severity: grave Tags: security upstream Justification: user security hole
Dear maintainer,
imapfilter does not validate the hostname while validating the certificate, as explained in the upstream issue:
https://github.com/lefcha/imapfilter/issues/142
– System Information: Debian Release: 10.1 APT prefers stable-updates APT policy: (500, ‘stable-updates’), (500, ‘stable’), (90, ‘testing’), (80, ‘stable’), (70, ‘testing’), (60, ‘unstable’), (50, ‘unstable’) Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-5-amd64 (SMP w/8 CPU cores) Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
Versions of packages imapfilter depends on: ii libc6 2.28-10 ii liblua5.2-0 5.2.4-1.1+b2 ii libpcre3 2:8.39-12 ii libssl1.1 1.1.1c-1
imapfilter recommends no packages.
imapfilter suggests no packages.
– no debconf information
Changed Bug title to ‘imapfilter: CVE-2016-10937: does not validate hostname’ from 'imapfilter: does not validate hostname’. Request was from Salvatore Bonaccorso [email protected] to [email protected]. (Sun, 08 Sep 2019 19:00:07 GMT) (full text, mbox, link).
Information forwarded to [email protected], [email protected], Francesco Paolo Lovergine [email protected]:
Bug#939702; Package imapfilter. (Mon, 16 Sep 2019 21:33:03 GMT) (full text, mbox, link).
Acknowledgement sent to Quentin Hibon [email protected]:
Extra info received and forwarded to list. Copy sent to [email protected], Francesco Paolo Lovergine [email protected]. (Mon, 16 Sep 2019 21:33:03 GMT) (full text, mbox, link).
Message #14 received at [email protected] (full text, mbox, reply):
Dear maintainer,
a fix is now available for this vulnerability:
https://github.com/lefcha/imapfilter/commit/bf2515da752eddd54973adb0853c6aa289e921b6
Added tag(s) fixed-upstream. Request was from [email protected] to [email protected]. (Thu, 19 Sep 2019 19:51:07 GMT) (full text, mbox, link).
Reply sent to Sylvestre Ledru [email protected]:
You have taken responsibility. (Wed, 25 Sep 2019 15:45:09 GMT) (full text, mbox, link).
Notification sent to Quentin Hibon [email protected]:
Bug acknowledged by developer. (Wed, 25 Sep 2019 15:45:09 GMT) (full text, mbox, link).
Message #21 received at [email protected] (full text, mbox, reply):
Source: imapfilter Source-Version: 1:2.6.13-1
We believe that the bug you reported is fixed in the latest version of imapfilter, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is attached.
Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software pp. Sylvestre Ledru [email protected] (supplier of updated imapfilter package)
(This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
Format: 1.8 Date: Wed, 25 Sep 2019 16:10:51 +0200 Source: imapfilter Architecture: source Version: 1:2.6.13-1 Distribution: unstable Urgency: medium Maintainer: Francesco Paolo Lovergine [email protected] Changed-By: Sylvestre Ledru [email protected] Closes: 939702 Changes: imapfilter (1:2.6.13-1) unstable; urgency=medium . * New upstream release - Validates the hostname (Closes: #939702) Checksums-Sha1: 286821cde8cf2d080be8296bdf5b6a8f2f2f593f 1948 imapfilter_2.6.13-1.dsc 94fed16e7902d3eb8d58194e964a7b5742f9e11d 59467 imapfilter_2.6.13.orig.tar.gz d24defbbbd71ea5943f675d38f8148a6f68f6e63 5384 imapfilter_2.6.13-1.debian.tar.xz 34ee504c315e4b418387058ea77394463c631f56 6017 imapfilter_2.6.13-1_amd64.buildinfo Checksums-Sha256: 1b0885268245947ca5bc85a32c293cd02f634bfd073259d0393f6808dc08bb8c 1948 imapfilter_2.6.13-1.dsc 8ad94b94ddd47bd051ec875a3ba347bf3427f98ca4b63d60f38ea3a704c8afb2 59467 imapfilter_2.6.13.orig.tar.gz 1287875fb904d964b452e8a3a9e7a06e09f750b043a2738a3325975e0bcc65d6 5384 imapfilter_2.6.13-1.debian.tar.xz ac6c4184cf643778c89d0b77c7db01aaebc6f3801bc02abda832bc3a83fb8b75 6017 imapfilter_2.6.13-1_amd64.buildinfo Files: a29bff9ac31efef4bc1b3271723d3d12 1948 mail optional imapfilter_2.6.13-1.dsc 6398609530556a4e52a0bae0d438a833 59467 mail optional imapfilter_2.6.13.orig.tar.gz 2ab3fcc00aa5b27891f3f0a8f5e6a8ac 5384 mail optional imapfilter_2.6.13-1.debian.tar.xz 197c142788bb2ade2aca9c5f499ffe72 6017 mail optional imapfilter_2.6.13-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEtg21mU05vsTRqVzPfmUo2nUvG+EFAl2LfdkACgkQfmUo2nUv G+Gf0w/7BkKkPx0EfnsBaORm2qGCabznOCWZNQJZkpdhXnLGy1pHjt3OoDw9aEBM AfYAm9jRL8KQ/BqnkbsV1kPohO84GIXMVdHw/DxxnO6/KMMiutF3hGRk8guarkr1 r3LSxVuzWc+ycfFxfWehNxu/EV4umTtL2Qq+ve4Q4tj4LG+ipXgxxyn6SokmiPoa WFLB2bwywVaQI3lv5Xv5NqV17YMZC2waVogeUOY2AjwTl0GeDKPUUEN+PajDFNvB Ew1tQik59AwcG1KwDioR9+0sIxpO7p7Rsr1NHCXCp1UzTC9ikFHVWyLcwD4mMqtf uUdN41GUBMvVrN7HDszbWCzYmozWX0uOq29JFF2qLzpcl7EfORvyYI9AuPZkhSaO 8fXqka0aR10CqihR92N9Fl9TK69Wqbdrtac8JdmLPgIA8BhCSpx464BV8MuhuEOr Da+hS8yYkkhtCCKGnGhDLlhkndMHN7SUgNZSPDOUkQJAI5Al/j7q5v/R51K8+SSZ WLW+5mSQdTlOyKHdoM22IS8bB4qwXd9qAUcGxpOBMhm/pZxGfI22n4BWNmQ3DxUD SDLjYfVxMAvB/JBHWBo2cQq2qU/xHP7hoYVS/C4kzhNetkTnECQX9vcBbbI0ZGjZ d/Yfz5qi4r9ACVJZ5jpEANhGTJwAinWY2oDzyWG8ZPjPNFDbM9Y= =28UH -----END PGP SIGNATURE-----
Bug archived. Request was from Debbugs Internal Request [email protected] to [email protected]. (Sun, 12 Sep 2021 07:25:18 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <[email protected]>. Last modified: Thu Feb 16 03:05:56 2023; Machine Name: bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.