CVE-2011-1429

Published: 16 March 2011

Mutt does not verify that the smtps server hostname matches the domain name of the subject of an X.509 certificate, which allows man-in-the-middle attackers to spoof an SSL SMTP server via an arbitrary certificate, a different vulnerability than CVE-2009-3766.

Notes

debian may have used an incomplete patch from the upstream
bug.

This is not specific to SMTPS. It is in the common code that
uses GnuTLS, meaning that the IMAPS and POP3S protocols are also
affected.
Debian is carrying a fix that upstream has not applied. It doesn't
look like this issue is fixed upstream. RHEL is also carrying the
same fix.
The fix may be the cause of a mutt sidebar related bug (a feature
patch that debian and ubuntu carry)
After more investigation, the sidebar related bug was preexisting.
Hardy's version of mutt has a considerably different
mutt_ssl_gnutls.c and my testing has shown that it is not affected.

Status

References

• http://seclists.org/fulldisclosure/2011/Mar/87
• https://ubuntu.com/security/notices/USN-1221-1
• https://www.cve.org/CVERecord?id=CVE-2011-1429
• NVD
• Launchpad
• Debian

Bugs

• http://dev.mutt.org/trac/ticket/3506
• http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=619216
• https://bugzilla.redhat.com/show_bug.cgi?id=688755