<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> <glsa id="201310-02"> <title>isync: Man-in-the-Middle attack</title> <synopsis>A vulnerability in isync could allow remote attackers to perform man-in-the-middle attacks. </synopsis> <product type="ebuild">isync</product> <announced>2013-10-05</announced> <revised count="1">2013-10-05</revised> <bug>458420</bug> <access>remote</access> <affected> <package name="net-mail/isync" auto="yes" arch="*"> <unaffected range="ge">1.0.6</unaffected> <vulnerable range="lt">1.0.6</vulnerable> </package> </affected> <background> <p>isync is an IMAP and MailDir mailbox synchronizer. </p> </background> <description> <p>isync does not properly verify the server’s hostname against the CN field in the SSL certificate. </p> </description> <impact type="low"> <p>A remote server could perform man-in-the-middle attacks to disclose passwords or obtain other sensitive information. </p> </impact> <workaround> <p>There is no known workaround at this time.</p> </workaround> <resolution> <p>All isync users should upgrade to the latest version:</p> <code> # emerge --sync # emerge --ask --oneshot --verbose ">=net-mail/isync-1.0.6" </code> </resolution> <references> <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0289">CVE-2013-0289</uri> </references> <metadata tag="requester" timestamp="2013-04-08T23:32:51Z">ackle</metadata> <metadata tag="submitter" timestamp="2013-10-05T20:45:35Z">ackle</metadata> </glsa>