GNU bug report logs - #19283
25.0.50; imap.el with man-in-the-middle vulnerability

Previous Next

Package: emacs;

Reported by: Jens Lechtenboerger <jens.lechtenboerger <at> fsfe.org>

Date: Fri, 5 Dec 2014 19:39:02 UTC

Severity: normal

Tags: security

Found in version 25.0.50

Fixed in version 25.1

Done: Lars Ingebrigtsen <larsi <at> gnus.org>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Jens Lechtenboerger <jens.lechtenboerger <at> fsfe.org>
To: Andreas Schwab <schwab <at> linux-m68k.org>
Cc: 19283 <at> debbugs.gnu.org
Subject: bug#19283: 25.0.50; imap.el with man-in-the-middle vulnerability
Date: Fri, 05 Dec 2014 21:39:41 +0100

On 2014-12-05, Andreas Schwab wrote:

> Jens Lechtenboerger <jens.lechtenboerger <at> fsfe.org> writes:
>
>> In addition, imap.el only tries SSLv2 and SSLv3,
>
> imap.el always tries STARTTLS and TLS before SSL, unless you force it to
> do otherwise.

I’m sorry, I meant to talk about imap-ssl-program, which I mentioned
above that quote.  So it should read: “imap-ssl-program in imap.el
only tries SSLv2 and SSLv3”

But you are right, I’m using “:stream ssl” among mail-sources.
If I remove that, the connection uses STARTTLS, which ultimately
calls starttls-gnutls-program, for which I suggested
(setq starttls-extra-arguments '("--strict-tofu"))
in bug#16978 to avoid MITM with “trusted” certificates.

Changing to “:stream tls” seems to invoke tls-program, about which I
filed bug#19284.

Best wishes
Jens

This bug report was last modified 9 years and 154 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.

GNU bug report logs - #19283 25.0.50; imap.el with man-in-the-middle vulnerability

GNU bug report logs - #19283
25.0.50; imap.el with man-in-the-middle vulnerability