Upstream information

CVE-2009-3942 at MITRE

Description

Martin Lambers msmtp before 1.4.19, when OpenSSL is used, does not properly handle a '\0' character in a domain name in the (1) subject's Common Name or (2) Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.

SUSE information

Overall state of this security issue: Resolved

This issue is currently rated as having important severity.

CVSS v2 Scores
  National Vulnerability Database
Base Score 6.4
Vector AV:N/AC:L/Au:N/C:N/I:P/A:P
Access Vector Network
Access Complexity Low
Authentication None
Confidentiality Impact None
Integrity Impact Partial
Availability Impact Partial
SUSE Bugzilla entry: 557181 [RESOLVED / FIXED]

SUSE Security Advisories:

List of released packages

Product(s) Fixed package version(s) References
openSUSE 11.0
  • msmtp-debuginfo >= 1.4.14-14.2
  • msmtp-debugsource >= 1.4.14-14.2
openSUSE 11.0
  • msmtp >= 1.4.14-14.2
openSUSE 11.1
  • msmtp-debuginfo >= 1.4.16-1.28.1
  • msmtp-debugsource >= 1.4.16-1.28.1
openSUSE 11.1
  • msmtp >= 1.4.16-1.28.1
openSUSE 11.2
  • msmtp-debuginfo >= 1.4.16-2.2.1
  • msmtp-debugsource >= 1.4.16-2.2.1
openSUSE 11.2
  • msmtp >= 1.4.16-2.2.1