[Users] Import security update for Win32

Colin Leroy colin at colino.net
Wed Mar 5 15:38:07 CET 2014


Hi,

Following a rather important vulnerability fix in GnuTLS
(CVE-2014-0092), I have updated the Windows port to a fixed GnuTLS.

The updated installer is available at http://www.claws-mail.org/win32/
as usual.

Concerning the vulnerability, it is described at
http://www.gnutls.org/security.html#GNUTLS-SA-2014-2

It resembles the recent SSL vulnerability found in Apple products,
allowing to bypass certificate validation.

It could be used, by someone in position to redirect network traffic to
a rogue server (Man in the middle), to impersonate an SSL email server
and fetch user passwords without triggering an invalid certificate
warning - for known servers, the changed certificate warning would
still be issued.
-- 
Colin



More information about the Users mailing list