From bc43c0d9468a8d50ba141c8a965f9f07ed0456ff Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Mon, 3 Aug 2020 19:20:05 +0200 Subject: libinterimap: Fix response injection vulnerability after STARTTLS. For background see https://gitlab.com/muttmua/mutt/-/issues/248 . --- tests/list | 1 + 1 file changed, 1 insertion(+) (limited to 'tests/list') diff --git a/tests/list b/tests/list index 402ec51..5522ba8 100644 --- a/tests/list +++ b/tests/list @@ -46,6 +46,7 @@ split-set Split large sets to avoid extra-long command lines . SSL/TLS starttls-logindisabled LOGINDISABLED STARTTLS starttls STARTTLS + starttls-injection STARTTLS response injection tls SSL/TLS handshake ... tls-verify-peer tls-pin-fingerprint pubkey fingerprint pinning -- cgit v1.2.3 From 3b2939febdeb7f92051f95a3b08cf86e221ce21d Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Mon, 3 Aug 2020 20:27:38 +0200 Subject: libinterimap: abort on PREAUTH greeting received on plaintext connections Set "STARTTLS = NO" to ignore. This is similar to CVE-2020-12398 and CVE-2020-14093. --- tests/list | 1 + 1 file changed, 1 insertion(+) (limited to 'tests/list') diff --git a/tests/list b/tests/list index 5522ba8..db77f50 100644 --- a/tests/list +++ b/tests/list @@ -38,6 +38,7 @@ repair --repair auth-login LOGIN auth-logindisabled LOGINDISABLED auth-noplaintext abort when STARTTLS is not offered + preauth-plaintext abort on MiTM via PREAUTH greeting compress COMPRESS=DEFLATE condstore CONDSTORE -- cgit v1.2.3