[Users] Import security update for Win32

Colin Leroy colin at colino.net
Wed Mar 5 15:38:43 CET 2014


(Re-sending signed, sorry)

Hi,

Following a rather important vulnerability fix in GnuTLS
(CVE-2014-0092), I have updated the Windows port to a fixed GnuTLS.

The updated installer is available at http://www.claws-mail.org/win32/
as usual.

Concerning the vulnerability, it is described at
http://www.gnutls.org/security.html#GNUTLS-SA-2014-2

It resembles the recent SSL vulnerability found in Apple products,
allowing to bypass certificate validation.

It could be used, by someone in position to redirect network traffic to
a rogue server (Man in the middle), to impersonate an SSL email server
and fetch user passwords without triggering an invalid certificate
warning - for known servers, the changed certificate warning would
still be issued.
-- 
Colin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 190 bytes
Desc: not available
URL: <http://lists.claws-mail.org/pipermail/users/attachments/20140305/f1d48b2b/attachment.sig>


More information about the Users mailing list