Debian Bug report logs - #428157
[CVE-2007-3209] Silently falls back to unencrypted connection: password sent in cleartext

version graph

Package: mail-notification; Maintainer for mail-notification is Stephen Kitt <skitt@debian.org>; Source for mail-notification is src:mail-notification.

Reported by: Ted Percival <ted@midg3t.net>

Date: Sat, 9 Jun 2007 12:48:01 UTC

Severity: grave

Tags: patch, security, upstream

Merged with 429200

Found in versions mail-notification/3.0.dfsg.1-10, mail-notification/3.0.dfsg.1-10+b1, mail-notification/4.0.dfsg.1-1, mail-notification/4.0~rc2.dfsg.1-4

Fixed in version mail-notification/4.0.dfsg.1-2

Done: Pascal Giard <pascal@debian.org>

Bug is archived. No further changes may be made.

Forwarded to https://savannah.nongnu.org/bugs/index.php?20131

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Pascal Giard <pascal@debian.org>:
Bug#428157; Package mail-notification. Full text and rfc822 format available.

Acknowledgement sent to Ted Percival <ted@midg3t.net>:
New Bug report received and forwarded. Copy sent to Pascal Giard <pascal@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Ted Percival <ted@midg3t.net>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: mail-notification: Silently falls back to unencrypted connection: password sent in cleartext
Date: Sat, 09 Jun 2007 22:45:34 +1000
Package: mail-notification
Version: 4.0.dfsg.1-1+b1
Severity: important

mail-notification falls back to unencrypted connections even when the
user has configured a connection to use SSL/TLS. mail-notification will
send a user's password over an insecure connection and it can easily be
sniffed.

It should be clear to the user that SSL/TLS connections are not
possible and there should be no fallback to insecure connections.

This is somewhat related to bug #286672 (Can't use SSL/TLS).


-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.18-4-k7 (SMP w/1 CPU core)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages mail-notification depends on:
ii  gnome-icon-theme       2.18.0-3          GNOME Desktop icon theme
ii  libart-2.0-2           2.3.19-3          Library of functions for 2D graphi
ii  libatk1.0-0            1.18.0-2          The ATK accessibility toolkit
ii  libbonobo2-0           2.18.0-2          Bonobo CORBA interfaces library
ii  libbonoboui2-0         2.18.0-5          The Bonobo UI library
ii  libc6                  2.5-10            GNU C Library: Shared libraries
ii  libcairo2              1.4.6-1.1         The Cairo 2D vector graphics libra
ii  libdbus-1-3            1.0.2-5           simple interprocess messaging syst
ii  libdbus-glib-1-2       0.73-2            simple interprocess messaging syst
ii  libeel2-2.18           2.18.0.1-2        Eazel Extensions Library (for GNOM
ii  libfontconfig1         2.4.2-1.2         generic font configuration library
ii  libfreetype6           2.2.1-6           FreeType 2 font engine, shared lib
ii  libgail-common         1.18.0-2          GNOME Accessibility Implementation
ii  libgail18              1.18.0-2          GNOME Accessibility Implementation
ii  libgconf2-4            2.18.0.1-3        GNOME configuration database syste
ii  libglade2-0            1:2.6.0-4         library to load .glade files at ru
ii  libglib2.0-0           2.12.12-1         The GLib library of C routines
ii  libgmime-2.0-2         2.2.9-1           MIME library, unstable version
ii  libgnome-keyring0      0.8.1-2           GNOME keyring services library
ii  libgnome2-0            2.18.0-4          The GNOME 2 library - runtime file
ii  libgnomecanvas2-0      2.14.0-2          A powerful object-oriented display
ii  libgnomeui-0           2.18.1-2          The GNOME 2 libraries (User Interf
ii  libgnomevfs2-0         1:2.18.1-2        GNOME Virtual File System (runtime
ii  libgtk2.0-0            2.10.12-2         The GTK+ graphical user interface 
ii  libice6                1:1.0.3-2         X11 Inter-Client Exchange library
ii  libnotify1 [libnotify1 0.4.4-3           sends desktop notifications to a n
ii  liborbit2              1:2.14.7-0.1      libraries for ORBit2 - a CORBA ORB
ii  libpango1.0-0          1.16.4-1          Layout and rendering of internatio
ii  libpng12-0             1.2.15~beta5-2    PNG library - runtime
ii  libpopt0               1.10-3            lib for parsing cmdline parameters
ii  libsasl2-2             2.1.22.dfsg1-8+b1 Authentication abstraction library
ii  libsm6                 2:1.0.3-1         X11 Session Management library
ii  libx11-6               2:1.0.3-7         X11 client-side library
ii  libxcursor1            1:1.1.8-2         X cursor management library
ii  libxext6               1:1.0.3-2         X11 miscellaneous extension librar
ii  libxfixes3             1:4.0.3-2         X11 miscellaneous 'fixes' extensio
ii  libxi6                 1:1.0.1-4         X11 Input extension library
ii  libxinerama1           1:1.0.2-1         X11 Xinerama extension library
ii  libxml2                2.6.28.dfsg-1     GNOME XML library
ii  libxrandr2             2:1.2.1-1         X11 RandR extension library
ii  libxrender1            1:0.9.2-1         X Rendering Extension client libra
ii  zlib1g                 1:1.2.3-15        compression library - runtime

mail-notification recommends no packages.

-- no debconf information



Noted your statement that Bug has been forwarded to https://savannah.nongnu.org/bugs/index.php?20131. Request was from Ted Percival <ted@midg3t.net> to control@bugs.debian.org. (Sat, 09 Jun 2007 13:15:01 GMT) Full text and rfc822 format available.

Tags added: upstream Request was from Ted Percival <ted@midg3t.net> to control@bugs.debian.org. (Sat, 09 Jun 2007 13:15:03 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Pascal Giard <pascal@debian.org>:
Bug#428157; Package mail-notification. Full text and rfc822 format available.

Acknowledgement sent to Ted Percival <ted@midg3t.net>:
Extra info received and forwarded to list. Copy sent to Pascal Giard <pascal@debian.org>. Full text and rfc822 format available.

Message #14 received at 428157@bugs.debian.org (full text, mbox):

From: Ted Percival <ted@midg3t.net>
To: 428157@bugs.debian.org
Cc: control@bugs.debian.org
Subject: mail-notification: patch for incorrect no-SSL behaviour
Date: Sun, 10 Jun 2007 01:16:58 +1000
[Message part 1 (text/plain, inline)]
tags 428157 patch security
stop

I have sent a patch for this to the upstream tracker:
 https://savannah.nongnu.org/bugs/index.php?20131
 https://savannah.nongnu.org/bugs/download.php?file_id=12991

I wonder if this should be set to grave severity because of password
leakage.

-- 
\0

[signature.asc (application/pgp-signature, attachment)]

Tags added: patch, security Request was from Ted Percival <ted@midg3t.net> to control@bugs.debian.org. (Sat, 09 Jun 2007 15:21:03 GMT) Full text and rfc822 format available.

Severity set to `grave' from `important' Request was from Ted Percival <ted@midg3t.net> to control@bugs.debian.org. (Sat, 09 Jun 2007 15:27:09 GMT) Full text and rfc822 format available.

Bug marked as found in version 4.0~rc2.dfsg.1-4. Request was from Ted Percival <ted@midg3t.net> to control@bugs.debian.org. (Sat, 09 Jun 2007 15:33:02 GMT) Full text and rfc822 format available.

Bug marked as found in version 3.0.dfsg.1-10+b1. Request was from Ted Percival <ted@midg3t.net> to control@bugs.debian.org. (Sat, 09 Jun 2007 15:57:02 GMT) Full text and rfc822 format available.

Forcibly Merged 428157 429200. Request was from Ted Percival <ted@midg3t.net> to control@bugs.debian.org. (Sat, 16 Jun 2007 17:12:10 GMT) Full text and rfc822 format available.

Changed Bug title to `[CVE-2007-3209] Silently falls back to unencrypted connection: password sent in cleartext' from `mail-notification: Silently falls back to unencrypted connection: password sent in cleartext'. Request was from Ted Percival <ted@midg3t.net> to control@bugs.debian.org. (Sat, 16 Jun 2007 17:12:13 GMT) Full text and rfc822 format available.

Reply sent to Pascal Giard <pascal@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Ted Percival <ted@midg3t.net>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #31 received at 428157-close@bugs.debian.org (full text, mbox):

From: Pascal Giard <pascal@debian.org>
To: 428157-close@bugs.debian.org
Subject: Bug#428157: fixed in mail-notification 4.0.dfsg.1-2
Date: Tue, 26 Jun 2007 04:47:03 +0000
Source: mail-notification
Source-Version: 4.0.dfsg.1-2

We believe that the bug you reported is fixed in the latest version of
mail-notification, which is due to be installed in the Debian FTP archive:

mail-notification-evolution_4.0.dfsg.1-2_amd64.deb
  to pool/main/m/mail-notification/mail-notification-evolution_4.0.dfsg.1-2_amd64.deb
mail-notification_4.0.dfsg.1-2.diff.gz
  to pool/main/m/mail-notification/mail-notification_4.0.dfsg.1-2.diff.gz
mail-notification_4.0.dfsg.1-2.dsc
  to pool/main/m/mail-notification/mail-notification_4.0.dfsg.1-2.dsc
mail-notification_4.0.dfsg.1-2_amd64.deb
  to pool/main/m/mail-notification/mail-notification_4.0.dfsg.1-2_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 428157@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Pascal Giard <pascal@debian.org> (supplier of updated mail-notification package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 26 Jun 2007 00:18:05 -0400
Source: mail-notification
Binary: mail-notification mail-notification-evolution
Architecture: source amd64
Version: 4.0.dfsg.1-2
Distribution: unstable
Urgency: low
Maintainer: Pascal Giard <pascal@debian.org>
Changed-By: Pascal Giard <pascal@debian.org>
Description: 
 mail-notification - mail notification in system tray
 mail-notification-evolution - evolution support for mail notification
Closes: 427888 428157 429200
Changes: 
 mail-notification (4.0.dfsg.1-2) unstable; urgency=low
 .
   * [debian/control]:
     - Added missing dependency on notification-daemon (closes: #427888).
   * [debian/patches/06-mail-notif-ssl.diff]:
     - Added patch preventing mail-notification from sending passwords in cleartext when SSL
       is unavailable (closes: #428157, #429200). Thanks to Ted Percival <ted@midg3t.net>.
Files: 
 cdc6ad22644d28244f2a6dcb42e547a9 961 gnome optional mail-notification_4.0.dfsg.1-2.dsc
 6f1ede6fca743c0668f2f245f468ef9d 13538 gnome optional mail-notification_4.0.dfsg.1-2.diff.gz
 282beb8101c5936b029cb6467c357319 372586 gnome optional mail-notification_4.0.dfsg.1-2_amd64.deb
 8ecfc11063899aabe19f96fe94c0300d 30088 gnome optional mail-notification-evolution_4.0.dfsg.1-2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGgJZv1Lfd97FsypURAshEAKC6DGwsGuE4D45m07AkvIjnFCqS5ACfXxqm
+vLTvY++RQGHuvHu2Xhn+to=
=KoXw
-----END PGP SIGNATURE-----




Reply sent to Pascal Giard <pascal@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Florian Weimer <fw@deneb.enyo.de>:
Bug acknowledged by developer. Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 16 Mar 2009 07:26:37 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 20:16:18 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.