[ubuntu-hardened] Please backport fix to Exim4: [Bug 1384232] Re: Certificate hostname verification fix
Chuck Peters
cp at axs.org
Sun Jun 21 20:54:30 UTC 2015
Andreas Metzler pointed to a set of patches which are included in the upcoming release of Exim4. I would like to see this issue resolved for trusty and newer releases.
Is someone from the Server Team, or Security Team, backporting this set of patches?
If so, will we see a backport for trusty?
Perhaps this issue could be discussed at the next Security Team meeting Monday or Server Team meeting Tuesday?
Thanks,
Chuck
----- Forwarded message from Andreas Metzler <1384232 at bugs.launchpad.net> -----
Date: Sun, 21 Jun 2015 05:33:47 -0000
From: Andreas Metzler <1384232 at bugs.launchpad.net>
To: cp at axs.org
Subject: [Bug 1384232] Re: Certificate hostname verification fix
This seems to be enabled by default in 4.86RC.
http://git.exim.org/exim.git/commit/01a4a5c5cbaa40ca618d3e233991ce183b551477
--
You received this bug notification because you are subscribed to exim4
in Ubuntu.
Matching subscriptions: Chuck Peters
https://bugs.launchpad.net/bugs/1384232
Title:
Certificate hostname verification fix
Status in exim4 package in Ubuntu:
Confirmed
Bug description:
We did a automatic static analysis on exim4 packages in Ubuntu and
found that EXIM will not verify the hostname of a SMTP server against
its certificate. This will possibly result in man-in-the-middle
attack. We reported this bug directly to exim.org in May 2014 and
they fixed this problem in their latest release. So plz fix this issue
in Ubuntu.
Bug: http://bugs.exim.org/show_bug.cgi?id=1479
Fix:
http://git.exim.org/exim.git/commit/e51c7be22dfccad376659a1a46cee93c9979bbf7
----- End forwarded message -----
More information about the ubuntu-hardened
mailing list