Debian Bug report logs -
#428157
[CVE-2007-3209] Silently falls back to unencrypted connection: password sent in cleartext
Reported by: Ted Percival <ted@midg3t.net>
Date: Sat, 9 Jun 2007 12:48:01 UTC
Severity: grave
Tags: patch, security, upstream
Merged with 429200
Found in versions mail-notification/3.0.dfsg.1-10, mail-notification/3.0.dfsg.1-10+b1, mail-notification/4.0.dfsg.1-1, mail-notification/4.0~rc2.dfsg.1-4
Fixed in version mail-notification/4.0.dfsg.1-2
Done: Pascal Giard <pascal@debian.org>
Bug is archived. No further changes may be made.
Forwarded to https://savannah.nongnu.org/bugs/index.php?20131
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Pascal Giard <pascal@debian.org>:
Bug#428157; Package mail-notification.
(full text, mbox, link).
Acknowledgement sent to Ted Percival <ted@midg3t.net>:
New Bug report received and forwarded. Copy sent to Pascal Giard <pascal@debian.org>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: mail-notification
Version: 4.0.dfsg.1-1+b1
Severity: important
mail-notification falls back to unencrypted connections even when the
user has configured a connection to use SSL/TLS. mail-notification will
send a user's password over an insecure connection and it can easily be
sniffed.
It should be clear to the user that SSL/TLS connections are not
possible and there should be no fallback to insecure connections.
This is somewhat related to bug #286672 (Can't use SSL/TLS).
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.18-4-k7 (SMP w/1 CPU core)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages mail-notification depends on:
ii gnome-icon-theme 2.18.0-3 GNOME Desktop icon theme
ii libart-2.0-2 2.3.19-3 Library of functions for 2D graphi
ii libatk1.0-0 1.18.0-2 The ATK accessibility toolkit
ii libbonobo2-0 2.18.0-2 Bonobo CORBA interfaces library
ii libbonoboui2-0 2.18.0-5 The Bonobo UI library
ii libc6 2.5-10 GNU C Library: Shared libraries
ii libcairo2 1.4.6-1.1 The Cairo 2D vector graphics libra
ii libdbus-1-3 1.0.2-5 simple interprocess messaging syst
ii libdbus-glib-1-2 0.73-2 simple interprocess messaging syst
ii libeel2-2.18 2.18.0.1-2 Eazel Extensions Library (for GNOM
ii libfontconfig1 2.4.2-1.2 generic font configuration library
ii libfreetype6 2.2.1-6 FreeType 2 font engine, shared lib
ii libgail-common 1.18.0-2 GNOME Accessibility Implementation
ii libgail18 1.18.0-2 GNOME Accessibility Implementation
ii libgconf2-4 2.18.0.1-3 GNOME configuration database syste
ii libglade2-0 1:2.6.0-4 library to load .glade files at ru
ii libglib2.0-0 2.12.12-1 The GLib library of C routines
ii libgmime-2.0-2 2.2.9-1 MIME library, unstable version
ii libgnome-keyring0 0.8.1-2 GNOME keyring services library
ii libgnome2-0 2.18.0-4 The GNOME 2 library - runtime file
ii libgnomecanvas2-0 2.14.0-2 A powerful object-oriented display
ii libgnomeui-0 2.18.1-2 The GNOME 2 libraries (User Interf
ii libgnomevfs2-0 1:2.18.1-2 GNOME Virtual File System (runtime
ii libgtk2.0-0 2.10.12-2 The GTK+ graphical user interface
ii libice6 1:1.0.3-2 X11 Inter-Client Exchange library
ii libnotify1 [libnotify1 0.4.4-3 sends desktop notifications to a n
ii liborbit2 1:2.14.7-0.1 libraries for ORBit2 - a CORBA ORB
ii libpango1.0-0 1.16.4-1 Layout and rendering of internatio
ii libpng12-0 1.2.15~beta5-2 PNG library - runtime
ii libpopt0 1.10-3 lib for parsing cmdline parameters
ii libsasl2-2 2.1.22.dfsg1-8+b1 Authentication abstraction library
ii libsm6 2:1.0.3-1 X11 Session Management library
ii libx11-6 2:1.0.3-7 X11 client-side library
ii libxcursor1 1:1.1.8-2 X cursor management library
ii libxext6 1:1.0.3-2 X11 miscellaneous extension librar
ii libxfixes3 1:4.0.3-2 X11 miscellaneous 'fixes' extensio
ii libxi6 1:1.0.1-4 X11 Input extension library
ii libxinerama1 1:1.0.2-1 X11 Xinerama extension library
ii libxml2 2.6.28.dfsg-1 GNOME XML library
ii libxrandr2 2:1.2.1-1 X11 RandR extension library
ii libxrender1 1:0.9.2-1 X Rendering Extension client libra
ii zlib1g 1:1.2.3-15 compression library - runtime
mail-notification recommends no packages.
-- no debconf information
Tags added: upstream
Request was from Ted Percival <ted@midg3t.net>
to control@bugs.debian.org.
(Sat, 09 Jun 2007 13:15:03 GMT) (full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Pascal Giard <pascal@debian.org>:
Bug#428157; Package mail-notification.
(full text, mbox, link).
Acknowledgement sent to Ted Percival <ted@midg3t.net>:
Extra info received and forwarded to list. Copy sent to Pascal Giard <pascal@debian.org>.
(full text, mbox, link).
Message #14 received at 428157@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
tags 428157 patch security
stop
I have sent a patch for this to the upstream tracker:
https://savannah.nongnu.org/bugs/index.php?20131
https://savannah.nongnu.org/bugs/download.php?file_id=12991
I wonder if this should be set to grave severity because of password
leakage.
--
\0
[signature.asc (application/pgp-signature, attachment)]
Tags added: patch, security
Request was from Ted Percival <ted@midg3t.net>
to control@bugs.debian.org.
(Sat, 09 Jun 2007 15:21:03 GMT) (full text, mbox, link).
Severity set to `grave' from `important'
Request was from Ted Percival <ted@midg3t.net>
to control@bugs.debian.org.
(Sat, 09 Jun 2007 15:27:09 GMT) (full text, mbox, link).
Bug marked as found in version 4.0~rc2.dfsg.1-4.
Request was from Ted Percival <ted@midg3t.net>
to control@bugs.debian.org.
(Sat, 09 Jun 2007 15:33:02 GMT) (full text, mbox, link).
Bug marked as found in version 3.0.dfsg.1-10+b1.
Request was from Ted Percival <ted@midg3t.net>
to control@bugs.debian.org.
(Sat, 09 Jun 2007 15:57:02 GMT) (full text, mbox, link).
Forcibly Merged 428157 429200.
Request was from Ted Percival <ted@midg3t.net>
to control@bugs.debian.org.
(Sat, 16 Jun 2007 17:12:10 GMT) (full text, mbox, link).
Changed Bug title to `[CVE-2007-3209] Silently falls back to unencrypted connection: password sent in cleartext' from `mail-notification: Silently falls back to unencrypted connection: password sent in cleartext'.
Request was from Ted Percival <ted@midg3t.net>
to control@bugs.debian.org.
(Sat, 16 Jun 2007 17:12:13 GMT) (full text, mbox, link).
Reply sent to Pascal Giard <pascal@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Ted Percival <ted@midg3t.net>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #31 received at 428157-close@bugs.debian.org (full text, mbox, reply):
Source: mail-notification
Source-Version: 4.0.dfsg.1-2
We believe that the bug you reported is fixed in the latest version of
mail-notification, which is due to be installed in the Debian FTP archive:
mail-notification-evolution_4.0.dfsg.1-2_amd64.deb
to pool/main/m/mail-notification/mail-notification-evolution_4.0.dfsg.1-2_amd64.deb
mail-notification_4.0.dfsg.1-2.diff.gz
to pool/main/m/mail-notification/mail-notification_4.0.dfsg.1-2.diff.gz
mail-notification_4.0.dfsg.1-2.dsc
to pool/main/m/mail-notification/mail-notification_4.0.dfsg.1-2.dsc
mail-notification_4.0.dfsg.1-2_amd64.deb
to pool/main/m/mail-notification/mail-notification_4.0.dfsg.1-2_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 428157@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Pascal Giard <pascal@debian.org> (supplier of updated mail-notification package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Tue, 26 Jun 2007 00:18:05 -0400
Source: mail-notification
Binary: mail-notification mail-notification-evolution
Architecture: source amd64
Version: 4.0.dfsg.1-2
Distribution: unstable
Urgency: low
Maintainer: Pascal Giard <pascal@debian.org>
Changed-By: Pascal Giard <pascal@debian.org>
Description:
mail-notification - mail notification in system tray
mail-notification-evolution - evolution support for mail notification
Closes: 427888 428157 429200
Changes:
mail-notification (4.0.dfsg.1-2) unstable; urgency=low
.
* [debian/control]:
- Added missing dependency on notification-daemon (closes: #427888).
* [debian/patches/06-mail-notif-ssl.diff]:
- Added patch preventing mail-notification from sending passwords in cleartext when SSL
is unavailable (closes: #428157, #429200). Thanks to Ted Percival <ted@midg3t.net>.
Files:
cdc6ad22644d28244f2a6dcb42e547a9 961 gnome optional mail-notification_4.0.dfsg.1-2.dsc
6f1ede6fca743c0668f2f245f468ef9d 13538 gnome optional mail-notification_4.0.dfsg.1-2.diff.gz
282beb8101c5936b029cb6467c357319 372586 gnome optional mail-notification_4.0.dfsg.1-2_amd64.deb
8ecfc11063899aabe19f96fe94c0300d 30088 gnome optional mail-notification-evolution_4.0.dfsg.1-2_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFGgJZv1Lfd97FsypURAshEAKC6DGwsGuE4D45m07AkvIjnFCqS5ACfXxqm
+vLTvY++RQGHuvHu2Xhn+to=
=KoXw
-----END PGP SIGNATURE-----
Reply sent to Pascal Giard <pascal@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Florian Weimer <fw@deneb.enyo.de>:
Bug acknowledged by developer.
(full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 16 Mar 2009 07:26:37 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:44:48 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon