[Pkg-exim4-users] Please backport Certificate hostname verification fix
Chuck Peters
cp at ccil.org
Sun Jun 21 21:36:45 UTC 2015
Andreas Metzler pointed out a set of patches that fix this issue in Exim
4.86. Will this fix be backported to stable, oldstable or oldoldstable?
This is an Ubuntu bug report, but I'm not sure if any of the Debian bug
reports refer to this issue:
https://bugs.launchpad.net/ubuntu/+source/exim4/+bug/1384232
We did a automatic static analysis on exim4 packages in Ubuntu and found
that EXIM will not verify the hostname of a SMTP server against its
certificate. This will possibly result in man-in-the-middle attack. We
reported this bug directly to exim.org in May 2014 and they fixed this
problem in their latest release. So plz fix this issue in Ubuntu.
Bug: http://bugs.exim.org/show_bug.cgi?id=1479
Comment #2 and #3 basically say something was done upstream and no CVE
will be assigned to this issue.
Comment #3 Sun, Jun 21, 2015 at 1:33 AM
Andreas Metzler said:
This seems to be enabled by default in 4.86RC.
http://git.exim.org/exim.git/commit/01a4a5c5cbaa40ca618d3e233991ce183b551477
Additional comments:
https://lists.exim.org/lurker/thread/20140512.070741.1c59139a.en.html#i20140512.070741.1c59139a
https://lists.exim.org/lurker/message/20140512.150453.d06e3960.en.html
Viktor Dukhovni said "MiTM-resistant TLS security is not possible at
scale for SMTP without DNSSEC + DANE."
DANE for SMTP hasn't attained wide spread adoption and with Lets
Enecrypt making it easier to obtain CA certificates, I hope we will see
a lot more CA certificates on Debian Exim servers in 2016. Let's hope
we also see more DANE support as well!
Thanks,
Chuck
More information about the Pkg-exim4-users
mailing list