Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

src/socket.c: Fix OpenSSL versions for OpenSSL-version-dependent impl… #202

Merged
merged 1 commit into from Nov 1, 2019

Conversation

@sunweaver
Copy link
Contributor

sunweaver commented Oct 30, 2019

…ementations of the hostname validation support.

@sunweaver

This comment has been minimized.

Copy link
Contributor Author

sunweaver commented Oct 30, 2019

I today looked into CVE-2016-10937 with regards to fixing the issue in Debian jessie (v8) LTS.

The hostname validation fixes you already committed use wrong OpenSSL version numbers in the #ifdef blocks introduced in src/socket.c.

The upper code block is for OpenSSL 1.1.0 (should be 10100000L), the lower block is for OpenSSL 1.0.2 (should be 10002000L). Please check that by looking at OpenSSL's crypto/opensslv.h file.

Furthermore, I came up with quite a complex patch for introducing pre-OpenSSL-1.0.2 (i.e. OpenSSL 1.0.1 and earlier) hostname validation. I attach that patch to this comment.

CVE-2016-10937_OpenSSL-1.0.1.patch.txt

…ementations of the hostname validation support.
@sunweaver sunweaver force-pushed the sunweaver:pr/fix-openssl-versions branch from ebe8a98 to 9a9c15a Oct 30, 2019
@lefcha
lefcha approved these changes Nov 1, 2019
@lefcha lefcha merged commit ab48574 into lefcha:master Nov 1, 2019
@lefcha

This comment has been minimized.

Copy link
Owner

lefcha commented Nov 1, 2019

You're right, I messed up the OpenSSL versions there.

Thanks a lot for the PR!

@hiqua

This comment has been minimized.

Copy link

hiqua commented on src/socket.c in 9a9c15a Nov 10, 2019

@sunweaver @lefcha shouldn't this branch completely fail, with #error or similar? If name validation is not supported, imapfilter should not run at all by default. With this code, it just means that the CVE is not closed for a whole range of OS still having old OpenSSL versions (I think some CentOS versions).

@lefcha

This comment has been minimized.

Copy link
Owner

lefcha commented Nov 10, 2019

In the README it is mentioned that OpenSSL 1.0.2 or later should be used. Should we not allow to build with older versions, I mean is this preferred?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.