2010-03-31 20:00:00 2010-05-22 07:46:40

The match_component function in smtp-tls.c in libESMTP 1.0.3.r1, and possibly other versions including 1.0.4, treats two strings as equal if one is a substring of the other, which allows remote attackers to spoof trusted certificates via a crafted subjectAltName.

Vector

NETWORK

Complexity

MEDIUM

Authentication

NONE

Confidentiality

PARTIAL

Integrity

PARTIAL

Availability

PARTIAL
Stafford.uklinux Libesmtp 0.8.4 (not an official CPE) Stafford.uklinux Libesmtp 0.8.7 (not an official CPE) Stafford.uklinux Libesmtp 0.8.6 (not an official CPE) Stafford.uklinux Libesmtp 0.6 (not an official CPE) Stafford.uklinux Libesmtp 0.8.9 (not an official CPE) Stafford.uklinux Libesmtp 0.8.8 (not an official CPE) Stafford.uklinux Libesmtp 1.0 (not an official CPE) Stafford.uklinux Libesmtp 0.1 - (not an official CPE) Stafford.uklinux Libesmtp 0.8.0 (not an official CPE) Stafford.uklinux Libesmtp 0.8.3 (not an official CPE) Stafford.uklinux Libesmtp 0.8.2 (not an official CPE) Stafford.uklinux Libesmtp 0.8.5 (not an official CPE) Stafford.uklinux Libesmtp 0.8.1 (not an official CPE) Stafford.uklinux Libesmtp 0.6.1 (not an official CPE) Stafford.uklinux Libesmtp 0.3 (not an official CPE) Stafford.uklinux Libesmtp 0.8.10 P1 (not an official CPE) Stafford.uklinux Libesmtp 0.8.11 (not an official CPE) Stafford.uklinux Libesmtp 0.8.12 (not an official CPE) Stafford.uklinux Libesmtp 0.4 (not an official CPE) Stafford.uklinux Libesmtp 0.8.10 (not an official CPE) Stafford.uklinux Libesmtp 0.5 (not an official CPE) Stafford.uklinux Libesmtp 0.2 (not an official CPE) Stafford.uklinux Libesmtp 0.7.0 (not an official CPE) Stafford.uklinux Libesmtp 0.7.1 (not an official CPE) Stafford.uklinux Libesmtp 1.0.2 (not an official CPE) Stafford.uklinux Libesmtp 0.6 A (not an official CPE) Stafford.uklinux Libesmtp 1.0.4 (not an official CPE) Stafford.uklinux Libesmtp 1.0.1 (not an official CPE) Stafford.uklinux Libesmtp 0.1 A (not an official CPE) Stafford.uklinux Libesmtp 1.0.3 (not an official CPE) Stafford.uklinux Libesmtp 1.0 Rc1 (not an official CPE) Stafford.uklinux Libesmtp 1.0.3 R1 (not an official CPE)