[Users] Import security update for Win32
colin at colino.net
Wed Mar 5 15:38:07 CET 2014
Following a rather important vulnerability fix in GnuTLS
(CVE-2014-0092), I have updated the Windows port to a fixed GnuTLS.
The updated installer is available at http://www.claws-mail.org/win32/
Concerning the vulnerability, it is described at
It resembles the recent SSL vulnerability found in Apple products,
allowing to bypass certificate validation.
It could be used, by someone in position to redirect network traffic to
a rogue server (Man in the middle), to impersonate an SSL email server
and fetch user passwords without triggering an invalid certificate
warning - for known servers, the changed certificate warning would
still be issued.
More information about the Users