Bug#603450: offlineimap: fails check the remote servers ssl certificate is valid

To: david b <db.pub.mail@gmail.com>
Cc: 603450@bugs.debian.org
Subject: Bug#603450: offlineimap: fails check the remote servers ssl certificate is valid
From: Moritz Muehlenhoff <jmm@inutil.org>
Date: Wed, 1 Dec 2010 00:24:12 +0100
Message-id: <[🔎] 20101130232412.GA7018@galadriel.inutil.org>
Reply-to: Moritz Muehlenhoff <jmm@inutil.org>, 603450@bugs.debian.org
In-reply-to: <[🔎] 20101114085523.4894.64123.reportbug@linode.d1b.org>
References: <[🔎] 20101114085523.4894.64123.reportbug@linode.d1b.org>

On Sun, Nov 14, 2010 at 07:55:23PM +1100, david b wrote:
> Package: offlineimap
> Severity: grave
> Tags: security
> Justification: user security hole
> 
> offlineimap performs absolutely no ssl certificate checking. So users could/can be the victim of a man in the middle attack.
> In debian the following bugs exist:
> 
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=536421 (re certificate expiration)
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=153240 (re ssl fingerprint checking)
> 
> This could be considered a bug in imaplib (http://bugs.python.org/issue10274).
> A partial 'fix' is the following(this 'fix' isn't complete and would break connections to servers using self-signed certificates):

FWIW, this is a limitation documented on the homepage since 2007:
https://github.com/jgoerzen/offlineimap/wiki  

Cheers,
        Moritz

Reply to:

References:
- Bug#603450: offlineimap: fails check the remote servers ssl certificate is valid
  - From: david b <db.pub.mail@gmail.com>

Prev by Date: tla_1.3.5+dfsg-16_multi.changes REJECTED
Previous by thread: Bug#603450: Acknowledgement (offlineimap: fails check the remote servers ssl certificate is valid)
Next by thread: Bug#603473: zshdb: Installation fails
Index(es):
- Date
- Thread