Mutt does not verify that the smtps server hostname matches the domain name of the subject of an X.509 certificate, which allows man-in-the-middle attackers to spoof an SSL SMTP server via an arbitrary certificate, a different vulnerability than CVE-2009-3766.
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
| Link | Tags |
|---|---|
| http://www.redhat.com/support/errata/RHSA-2011-0959.html | vendor advisory |
| http://secunia.com/advisories/44937 | third party advisory |
| http://securityreason.com/securityalert/8143 | third party advisory |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/66015 | vdb entry |
| http://seclists.org/fulldisclosure/2011/Mar/87 | mailing list patch |
| http://lists.fedoraproject.org/pipermail/package-announce/2011-June/061356.html | vendor advisory |
| http://lists.fedoraproject.org/pipermail/package-announce/2011-June/061353.html | vendor advisory |
| http://lists.fedoraproject.org/pipermail/package-announce/2011-June/061461.html | vendor advisory |
| http://www.securityfocus.com/bid/46803 | vdb entry |