CVE-2011-1429

Published: 16 March 2011

Mutt does not verify that the smtps server hostname matches the domain name of the subject of an X.509 certificate, which allows man-in-the-middle attackers to spoof an SSL SMTP server via an arbitrary certificate, a different vulnerability than CVE-2009-3766.

Priority

Medium

Status

Package Release Status
mutt
Launchpad, Ubuntu, Debian
Upstream
Released (1.5.21-5)

Notes

AuthorNote
mdeslaur
debian may have used an incomplete patch from the upstream
bug.
tyhicks
This is not specific to SMTPS. It is in the common code that
uses GnuTLS, meaning that the IMAPS and POP3S protocols are also
affected.
Debian is carrying a fix that upstream has not applied. It doesn't
look like this issue is fixed upstream. RHEL is also carrying the
same fix.
The fix may be the cause of a mutt sidebar related bug (a feature
patch that debian and ubuntu carry)
After more investigation, the sidebar related bug was preexisting.
Hardy's version of mutt has a considerably different
mutt_ssl_gnutls.c and my testing has shown that it is not affected.

References

Bugs