CVE-2014-7275

Published: 8 October 2014

The POP3-over-SSL implementation in getmail 4.0.0 through 4.44.0 does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof POP3 servers and obtain sensitive information via a crafted certificate.

Priority

Status

Package	Release	Status
getmail4 Launchpad, Ubuntu, Debian	artful	Not vulnerable (4.46.0-1)
	bionic	Not vulnerable (4.46.0-1)
	cosmic	Does not exist
	disco	Does not exist
	lucid	Ignored (end of life)
	precise	Ignored (end of life)
	trusty	Does not exist (trusty was needed)
	upstream	Released (4.46.0-1)
	utopic	Not vulnerable (4.46.0-1)
	vivid	Not vulnerable (4.46.0-1)
	wily	Not vulnerable (4.46.0-1)
	xenial	Not vulnerable (4.46.0-1)
	yakkety	Not vulnerable (4.46.0-1)
	zesty	Not vulnerable (4.46.0-1)

References

http://pyropus.ca/software/getmail/CHANGELOG
http://openwall.com/lists/oss-security/2014/10/07/33
https://www.cve.org/CVERecord?id=CVE-2014-7275
NVD
Launchpad
Debian

Join the discussion

Ubuntu security updates mailing list
Security announcements mailing list

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.