Описание
Dovecot 2.0.x before 2.0.16, when ssl or starttls is enabled and hostname is used to define the proxy destination, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a valid certificate for a different hostname.
| Релиз | Статус | Примечание |
|---|---|---|
| devel | released | 2.0.15-1ubuntu5 |
| hardy | not-affected | |
| lucid | not-affected | |
| maverick | not-affected | |
| natty | not-affected | 1:1.2.15-3ubuntu2.1 |
| oneiric | released | 1:2.0.13-1ubuntu3.2 |
| upstream | released | 2.0.16 |
Показывать по
EPSS
5.8 Medium
CVSS2
Связанные уязвимости
Dovecot 2.0.x before 2.0.16, when ssl or starttls is enabled and hostname is used to define the proxy destination, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a valid certificate for a different hostname.
Dovecot 2.0.x before 2.0.16, when ssl or starttls is enabled and hostname is used to define the proxy destination, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a valid certificate for a different hostname.
Dovecot 2.0.x before 2.0.16, when ssl or starttls is enabled and hostn ...
Dovecot 2.0.x before 2.0.16, when ssl or starttls is enabled and hostname is used to define the proxy destination, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a valid certificate for a different hostname.
ELSA-2013-0520: dovecot security and bug fix update (LOW)
EPSS
5.8 Medium
CVSS2