thr3ads.net - Secure testing team - [Secure-testing-team] Bug#553433: CVE-2009-3766: missing host name vs. SSL certificate name checks [Oct 2009]

If this information is useful, please help other people find it:
Share via:

Giuseppe Iuculano

2009-Oct-31 10:01 UTC

[Secure-testing-team] Bug#553433: CVE-2009-3766: missing host name vs. SSL certificate name checks

Package: mutt
Severity: grave
Tags: security

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for mutt.

CVE-2009-3766[0]:
| mutt_ssl.c in mutt 1.5.16, when OpenSSL is used, does not verify the
| domain name in the subject''s Common Name (CN) field of an X.509
| certificate, which allows man-in-the-middle attackers to spoof SSL
| servers via an arbitrary valid certificate.

Please coordinate with the security team (team at security.debian.org) to
prepare packages for the stable and oldstable releases.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3766
    http://security-tracker.debian.org/tracker/CVE-2009-3766


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkrsCwsACgkQNxpp46476ap7UQCfXTB25r/gpBnXfDTBT0dI1IcK
ETYAnjJTfCnifLMUmqb90U+RO+mSqIjF
=xxZh
-----END PGP SIGNATURE-----

Secure testing team - Oct 2009 - Bug#553433: CVE-2009-3766: missing host name vs. SSL certificate name checks

[Secure-testing-team] Bug#553433: CVE-2009-3766: missing host name vs. SSL certificate name checks