CVE-2013-0308: Input Validation
First published: Mon Feb 11 2013(Updated: )
A security flaw was found in the way git-imap-send command (tool to send a collection of patches from stdin to an IMAP folder) of Git performed IMAP server's SSL x509.v3 certificate validation (server's hostname was previously not verified to match the CN field of the particular certificate). A rogue server could use this flaw to conduct man-in-the-middle (MiTM) attacks, possibly leading to disclosure of sensitive information. References: [1] <a href="https://www.kernel.org/pub/software/scm/git/docs/git-imap-send.html">https://www.kernel.org/pub/software/scm/git/docs/git-imap-send.html</a> [2] <a href="https://github.com/git/git/blob/master/imap-send.c#L233">https://github.com/git/git/blob/master/imap-send.c#L233</a>
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Git-scm Git | <=1.8.1.3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.kernel.org/pub/software/scm/git/docs/git-imap-send.html
- https://github.com/git/git/blob/master/imap-send.c#L233
- https://access.redhat.com/security/cve/CVE-2013-0308
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=699610&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=699610&action=edit
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=699611&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=699611&action=edit
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=699612&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=699612&action=edit
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=700017&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=700017&action=edit
- https://raw.github.com/git/git/master/Documentation/RelNotes/1.8.1.4.txt
- http://marc.info/?l=git&m=136134619013145&w=2
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=913593
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=913595
- https://rhn.redhat.com/errata/RHSA-2013-0589.html
- https://bugzilla.redhat.com/show_bug.cgi?id=909977
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=701586
- http://lists.apple.com/archives/security-announce/2013/Sep/msg00007.html
- http://lists.opensuse.org/opensuse-updates/2013-03/msg00005.html
- http://lists.opensuse.org/opensuse-updates/2013-03/msg00007.html
- http://rhn.redhat.com/errata/RHSA-2013-0589.html
- http://secunia.com/advisories/52361
- http://secunia.com/advisories/52443
- http://secunia.com/advisories/52467
- http://support.apple.com/kb/HT5937
- http://www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.html
- http://www.securityfocus.com/bid/58148
- http://www.securitytracker.com/id/1028205
- https://bugzilla.novell.com/show_bug.cgi?id=804730
- https://exchange.xforce.ibmcloud.com/vulnerabilities/82329
- collector/nvd-index
- agent/type
- agent/softwarecombine
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/references
- agent/author
- agent/last-modified-date
- agent/severity
- agent/tags
- agent/description
- agent/event
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2013-0308
- vendor/git-scm
- canonical/git-scm git
- version/git-scm git/1.8.1.3