Executive Summary
| Summary | |
|---|---|
| Title | mutt security update |
| Informations | |||
|---|---|---|---|
| Name | RHSA-2011:0959 | First vendor Publication | 2011-07-19 |
| Vendor | RedHat | Last vendor Modification | 2011-07-19 |
| Severity (Vendor) | Moderate | Revision | 01 |
Security-Database Scoring CVSS v3
| Cvss vector : N/A | |||
|---|---|---|---|
| Overall CVSS Score | NA | ||
| Base Score | NA | Environmental Score | NA |
| impact SubScore | NA | Temporal Score | NA |
| Exploitabality Sub Score | NA | ||
| Calculate full CVSS 3.0 Vectors scores | |||
Security-Database Scoring CVSS v2
| Cvss vector : (AV:N/AC:M/Au:N/C:P/I:P/A:N) | |||
|---|---|---|---|
| Cvss Base Score | 5.8 | Attack Range | Network |
| Cvss Impact Score | 4.9 | Attack Complexity | Medium |
| Cvss Expoit Score | 8.6 | Authentication | None Required |
| Calculate full CVSS 2.0 Vectors scores | |||
Detail
| Problem Description: An updated mutt package that fixes one security issue is now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 3. Description: Mutt is a text-mode mail user agent. A flaw was found in the way Mutt verified SSL certificates. When a server presented an SSL certificate chain, Mutt could ignore a server hostname check failure. A remote attacker able to get a certificate from a trusted Certificate Authority could use this flaw to trick Mutt into accepting a certificate issued for a different hostname, and perform man-in-the-middle attacks against Mutt's SSL connections. (CVE-2011-1429) All Mutt users should upgrade to this updated package, which contains a backported patch to correct this issue. All running instances of Mutt must be restarted for this update to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/kb/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 688755 - CVE-2011-1429 mutt: SSL host name check may be skipped when verifying certificate chain |
Original Source
| Url : https://rhn.redhat.com/errata/RHSA-2011-0959.html |
CWE : Common Weakness Enumeration
| % | Id | Name |
|---|---|---|
| 100 % | CWE-20 | Improper Input Validation |
OVAL Definitions
| Definition Id: oval:org.mitre.oval:def:21055 | |||
| Oval ID: | oval:org.mitre.oval:def:21055 | ||
| Title: | USN-1221-1 -- mutt vulnerability | ||
| Description: | An attacker could trick mutt into trusting a rogue server. | ||
| Family: | unix | Class: | patch |
| Reference(s): | USN-1221-1 CVE-2011-1429 | Version: | 5 |
| Platform(s): | Ubuntu 11.04 Ubuntu 10.10 Ubuntu 10.04 | Product(s): | mutt |
| Definition Synopsis: | |||
| |||
| Definition Id: oval:org.mitre.oval:def:22052 | |||
| Oval ID: | oval:org.mitre.oval:def:22052 | ||
| Title: | RHSA-2011:0959: mutt security update (Moderate) | ||
| Description: | Mutt does not verify that the smtps server hostname matches the domain name of the subject of an X.509 certificate, which allows man-in-the-middle attackers to spoof an SSL SMTP server via an arbitrary certificate, a different vulnerability than CVE-2009-3766. | ||
| Family: | unix | Class: | patch |
| Reference(s): | RHSA-2011:0959-01 CVE-2011-1429 | Version: | 4 |
| Platform(s): | Red Hat Enterprise Linux 6 | Product(s): | mutt |
| Definition Synopsis: | |||
| Definition Id: oval:org.mitre.oval:def:23614 | |||
| Oval ID: | oval:org.mitre.oval:def:23614 | ||
| Title: | ELSA-2011:0959: mutt security update (Moderate) | ||
| Description: | Mutt does not verify that the smtps server hostname matches the domain name of the subject of an X.509 certificate, which allows man-in-the-middle attackers to spoof an SSL SMTP server via an arbitrary certificate, a different vulnerability than CVE-2009-3766. | ||
| Family: | unix | Class: | patch |
| Reference(s): | ELSA-2011:0959-01 CVE-2011-1429 | Version: | 6 |
| Platform(s): | Oracle Linux 6 | Product(s): | mutt |
| Definition Synopsis: | |||
| Definition Id: oval:org.mitre.oval:def:28057 | |||
| Oval ID: | oval:org.mitre.oval:def:28057 | ||
| Title: | DEPRECATED: ELSA-2011-0959 -- mutt security update (moderate) | ||
| Description: | [1.5.20-2.20091214hg736b6a.el6_1.1] - Fixed hostname verification of x.509 certificates. Resolves: #716889 (CVE-2011-1429) | ||
| Family: | unix | Class: | patch |
| Reference(s): | ELSA-2011-0959 CVE-2011-1429 | Version: | 4 |
| Platform(s): | Oracle Linux 6 | Product(s): | mutt |
| Definition Synopsis: | |||
CPE : Common Platform Enumeration
| Type | Description | Count |
|---|---|---|
| Application | 1 |
OpenVAS Exploits
| Date | Description |
|---|---|
| 2012-08-03 | Name : Mandriva Update for mutt MDVSA-2012:048 (mutt) File : nvt/gb_mandriva_MDVSA_2012_048.nasl |
| 2012-06-06 | Name : RedHat Update for mutt RHSA-2011:0959-01 File : nvt/gb_RHSA-2011_0959-01_mutt.nasl |
| 2012-04-30 | Name : FreeBSD Ports: mutt-devel File : nvt/freebsd_mutt-devel.nasl |
| 2011-09-30 | Name : Ubuntu Update for mutt USN-1221-1 File : nvt/gb_ubuntu_USN_1221_1.nasl |
| 2011-07-12 | Name : Fedora Update for mutt FEDORA-2011-7739 File : nvt/gb_fedora_2011_7739_mutt_fc15.nasl |
| 2011-06-20 | Name : Fedora Update for mutt FEDORA-2011-7751 File : nvt/gb_fedora_2011_7751_mutt_fc14.nasl |
| 2011-06-20 | Name : Fedora Update for mutt FEDORA-2011-7756 File : nvt/gb_fedora_2011_7756_mutt_fc13.nasl |
Open Source Vulnerability Database (OSVDB)
| Id | Description |
|---|---|
| 73731 | Mutt SMTP X.509 Certificate Common Name Field MiTM Weakness |
Nessus® Vulnerability Scanner
| Date | Description |
|---|---|
| 2013-07-12 | Name : The remote Oracle Linux host is missing a security update. File : oraclelinux_ELSA-2011-0959.nasl - Type : ACT_GATHER_INFO |
| 2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20110719_mutt_on_SL6_x.nasl - Type : ACT_GATHER_INFO |
| 2012-04-09 | Name : The remote FreeBSD host is missing a security-related update. File : freebsd_pkg_493143217fd411e19582001b2134ef46.nasl - Type : ACT_GATHER_INFO |
| 2012-04-03 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2012-048.nasl - Type : ACT_GATHER_INFO |
| 2011-09-30 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-1221-1.nasl - Type : ACT_GATHER_INFO |
| 2011-07-20 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2011-0959.nasl - Type : ACT_GATHER_INFO |
| 2011-06-16 | Name : The remote Fedora host is missing a security update. File : fedora_2011-7756.nasl - Type : ACT_GATHER_INFO |
| 2011-06-12 | Name : The remote Fedora host is missing a security update. File : fedora_2011-7739.nasl - Type : ACT_GATHER_INFO |
| 2011-06-12 | Name : The remote Fedora host is missing a security update. File : fedora_2011-7751.nasl - Type : ACT_GATHER_INFO |
Alert History
| Date | Informations |
|---|---|
| 2014-02-17 11:54:53 |
|
