Bug#603450: offlineimap: fails check the remote servers ssl certificate is valid

To: david b <db.pub.mail@gmail.com>, 603450@bugs.debian.org
Subject: Bug#603450: offlineimap: fails check the remote servers ssl certificate is valid
From: Julien Cristau <jcristau@debian.org>
Date: Mon, 27 Dec 2010 00:11:51 +0100
Message-id: <[🔎] 20101226231151.GA20220@radis.liafa.jussieu.fr>
Reply-to: Julien Cristau <jcristau@debian.org>, 603450@bugs.debian.org
In-reply-to: <20101114085523.4894.64123.reportbug@linode.d1b.org>
References: <20101114085523.4894.64123.reportbug@linode.d1b.org>

severity 603450 important
kthxbye

On Sun, Nov 14, 2010 at 19:55:23 +1100, david b wrote:

> Package: offlineimap
> Severity: grave
> Tags: security
> Justification: user security hole
> 
> offlineimap performs absolutely no ssl certificate checking. So users could/can be the victim of a man in the middle attack.

Long known/documented limitation, I don't think this is RC.  A fix can
still be considered either before release or for a point update.

Cheers,
Julien

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Processed: Re: Bug#603450: offlineimap: fails check the remote servers ssl certificate is valid
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Packages: Actualizate, nueva version del Groupmail.
Next by Date: Processed: Re: Bug#603450: offlineimap: fails check the remote servers ssl certificate is valid
Previous by thread: Bug#603450: offlineimap: fails check the remote servers ssl certificate is valid
Next by thread: Processed: Re: Bug#603450: offlineimap: fails check the remote servers ssl certificate is valid
Index(es):
- Date
- Thread