CVE-2011-1429

Publication date 16 March 2011

Last updated 24 July 2024


Ubuntu priority

Mutt does not verify that the smtps server hostname matches the domain name of the subject of an X.509 certificate, which allows man-in-the-middle attackers to spoof an SSL SMTP server via an arbitrary certificate, a different vulnerability than CVE-2009-3766.

Read the notes from the security team

Status

Package Ubuntu Release Status
mutt 11.04 natty
Fixed 1.5.21-2ubuntu3.1
10.10 maverick
Fixed 1.5.20-9ubuntu2.1
10.04 LTS lucid
Fixed 1.5.20-7ubuntu1.1
9.10 karmic Ignored end of life
8.04 LTS hardy
Not affected
6.06 LTS dapper Ignored end of life

Notes


mdeslaur

debian may have used an incomplete patch from the upstream bug.


tyhicks

This is not specific to SMTPS. It is in the common code that uses GnuTLS, meaning that the IMAPS and POP3S protocols are also affected. Debian is carrying a fix that upstream has not applied. It doesn't look like this issue is fixed upstream. RHEL is also carrying the same fix. The fix may be the cause of a mutt sidebar related bug (a feature patch that debian and ubuntu carry) After more investigation, the sidebar related bug was preexisting. Hardy's version of mutt has a considerably different mutt_ssl_gnutls.c and my testing has shown that it is not affected.

References

Related Ubuntu Security Notices (USN)

Other references