We have contacted the upstream and check out their latest SVN. We are sure that IMAPproxy in Ubuntu packages(all version) is vulnerable due to the missing of SSL certificate validation. This is fixed in the upstream on Jan 20th 2014. Please check their latest version, the changes are mainly in https://svn.code.sf.net/p/squirrelmail/code/trunk/imap_proxy/src/main.c. The developer from upstream "added support for up to TLS v1.2; added support for ECDHE ciphers; added ability to manually specify TLS ciphers; added server certificate validation (all thanks to Emmanuel Dreyfus)". They add a option to let user decide if they want to enforce SSL certificate validation. So please fix as the upstream did.
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1374729 Title: X509 certificate verification problem To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/up-imapproxy/+bug/1374729/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
