[Users] [Bug 3105] New: vcal plugin via https does not check peer certificates or host
noreply at thewildbeast.co.uk
noreply at thewildbeast.co.uk
Tue Mar 11 09:27:31 CET 2014
http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=3105
Bug ID: 3105
Summary: vcal plugin via https does not check peer certificates
or host
Classification: Unclassified
Product: Claws Mail
Version: 3.9.3
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P3
Component: Plugins/vCalendar
Assignee: users at lists.claws-mail.org
Reporter: meissner at suse.de
src/plugins/vcalendar/vcal_folder.c
has this:
#if LIBCURL_VERSION_NUM >= 0x070a00
curl_easy_setopt(curl_ctx, CURLOPT_SSL_VERIFYPEER, 0);
curl_easy_setopt(curl_ctx, CURLOPT_SSL_VERIFYHOST, 0);
#endif
This is basically allowing any kind of man in the middle attack.
Please fix.
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the Users
mailing list