Bug 3299 - [Security] Please fix POODLE vulnerability in Claws Mail
: [Security] Please fix POODLE vulnerability in Claws Mail
Status: RESOLVED FIXED
Product: Claws Mail
Classification: Unclassified
Component: Other
: other
: All All
: P3 critical
Assigned To: users
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-10-16 11:32 CEST by nw9165-3201
Modified: 2014-10-21 09:49 CEST (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description nw9165-3201 2014-10-16 11:32:57 CEST
Dear Claws Mail developers,

according to:

http://lists.claws-mail.org/pipermail/devel/2014-October/001307.html

Claws Mail apparently seems to be vulnerable to POODLE.

Could you please fix it as soon as possible?

In the meantime:

Is there anything a user can do to prevent POODLE attacks when using Claws Mail?

If yes: What?

I already tried to use "Use STARTTLS command to start SSL session" for connecting to an IMAP server on port 993. But it doesn't work. It only works when using "Use SSL for IMAP connection".

So, what can I (and others) do?

PS:

Why is there no "Use TLS for IMAP connection" setting available in Claws Mail?

Regards
Comment 1 Paul 2014-10-16 11:38:11 CEST
> In the meantime:
> 
> Is there anything a user can do to prevent POODLE attacks when using Claws
> Mail?
> 
> If yes: What?

Use the gnutls_priority and gnutls_set_priority account prefs.

There's no GUI for these - quit Claws, then edit ~/.claws-mail/accountrc directly.
Comment 2 Colin Leroy 2014-10-16 11:42:10 CEST
You can either use STARTTLS (use port 143 on IMAP, 110 on POP3, 25 or 587 on SMTP for that).

Or you can set the preferences:

gnutls_set_priority=1
gnutls_priority=NORMAL:-VERS-SSL3.0

in ~/.claws-mail/accountrc
Comment 3 Paul 2014-10-16 11:42:40 CEST
(In reply to comment #0)
> Dear Claws Mail developers,
> 
> according to:
> 
> http://lists.claws-mail.org/pipermail/devel/2014-October/001307.html

Since you are referring us to our own development mailing list, what do you hope to achieve by opening this here? Are you just trolling, or are you really saying, "hey Claws devs, look at what you wrote on your dev mailing list"
Comment 4 nw9165-3201 2014-10-18 01:11:21 CEST
Hello,

(In reply to comment #3)
> Since you are referring us to our own development mailing list, what do you
> hope to achieve by opening this here? Are you just trolling, or are you
> really saying, "hey Claws devs, look at what you wrote on your dev mailing
> list"

well, it's simple. I tried to post something on the users mailing list (http://lists.claws-mail.org/cgi-bin/mailman/listinfo/users). But my posts are always being rejected. I tried it several times, but they were always rejected (I still don't know why).

So I came here. Simple as that.

And it would have been nice if you would have informed the Claws Mail users about the vulnerability via the users mailing list (or the official website or whatever). So, I don't think it hurts to report this vulnerability on the official bug tracker?

Funnily enough though, I already figured that you would probably be going to diss me, as you are pretty much always doing everytime I report something here...

By now I somehow am getting the feeling that, for whatever reason, you are playing the "Good cop/bad cop routine" (Colin = good "cop", you = bad "cop")...

Anyway:

(In reply to comment #2)
> You can either use STARTTLS (use port 143 on IMAP, 110 on POP3, 25 or 587 on
> SMTP for that).

That doesn't seem to work on the IMAP server I am trying. It doesn't allow to connect via port 143. It only seems to support port 993.

It's the IMAP server from T-Online / Deutsche Telekom AG (secureimap.t-online.de).

The SMTP server (securesmtp.t-online.de) supports connecting on port 25 and 587 though.

Regards
Comment 5 Paul 2014-10-18 08:53:12 CEST
(In reply to comment #4)
> well, it's simple. I tried to post something on the users mailing list
> (http://lists.claws-mail.org/cgi-bin/mailman/listinfo/users). But my posts
> are always being rejected. I tried it several times, but they were always
> rejected (I still don't know why).
> 
> So I came here. Simple as that.

You should contact Yahoo, your provider, for a potential solution to your problem in posting to the list.

But the fact you can't post to the list, for whatever reason, does not make this bug tracker a forum or somewhere for you to chat. And you know this, as it's been pointed out to your before.

> And it would have been nice if you would have informed the Claws Mail users
> about the vulnerability via the users mailing list (or the official website
> or whatever). So, I don't think it hurts to report this vulnerability on the
> official bug tracker?

You read the message thread on the development list, you could see that we have dealt with the problem, you could see that a new release is imminent, yet you still opened this ticket and gave it the summary, "Please fix POODLE vulnerability in Claws Mail". You're asking for something to be fixed that you know is already fixed.
 
> Funnily enough though, I already figured that you would probably be going to
> diss me, as you are pretty much always doing everytime I report something
> here...

I wondered if your reports aren't tailored to cause that, i.e. you're trolling.

> (In reply to comment #2)
> > You can either use STARTTLS (use port 143 on IMAP, 110 on POP3, 25 or 587 on
> > SMTP for that).
> 
> That doesn't seem to work on the IMAP server I am trying. It doesn't allow
> to connect via port 143. It only seems to support port 993.

Then set the prefs, as also stated.

And, please, no more chit-chat on the bug tracker.
Comment 6 nw9165-3201 2014-10-19 15:38:14 CEST
Hello,

(In reply to comment #5)
> Then set the prefs, as also stated.

well, no, I am using the Win32 version, so that wouldn't work either (according to the users mailing list posts).

Regards
Comment 7 Paul 2014-10-21 09:49:55 CEST
Fixed in version 3.11.0.