#3506: failure to check server certificate in SMTP TLS connection
--------------------+-------------------------------------------------------
Reporter: db | Owner: mutt-dev
Type: defect | Status: new
Priority: major | Milestone:
Component: mutt | Version:
Keywords: |
--------------------+-------------------------------------------------------
Comment(by db):
I haven't had a chance to test this patch. It is worth nothing that
CVE-2011-1429 seemed to be assigned to this issue. However, the
description is slightly wrong. When I tested IMAPS - I found that my
previous (memory/testing..) didn't hold in the current version. So it
isn't only SMTP(S).
I will try and test it a little bit later in a number of scenarios. I am
sorry for the initial disclosure method. However, I already accidentally
(as I was testing) disclosed the bug in an irc channel and considered it
to be public at that point.
Personally I am disappointed in the lack of testing for these cases (using
gnutls) and ... I _was_ a mutt user who used it in a vulnerable
configuration :/
--
Ticket URL: <http://dev.mutt.org/trac/ticket/3506#comment:14>
Mutt <http://www.mutt.org/>
The Mutt mail user agent
