CVE-2009-3766

Publication date 23 October 2009

Last updated 24 July 2024

Ubuntu priority

mutt_ssl.c in mutt 1.5.16 and other versions before 1.5.19, when OpenSSL is used, does not verify the domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
mutt	10.04 LTS lucid	Ignored
	9.10 karmic	Ignored
	9.04 jaunty	Ignored
	8.10 intrepid	Ignored
	8.04 LTS hardy	Ignored
	6.06 LTS dapper	Ignored

How can I get the fixes?
What do statuses mean?

Notes

jdstrand

per Debian, our mutt is linked against gnutls, bug #553433

References

MITRE
NVD
Launchpad
Debian

Other references

https://www.cve.org/CVERecord?id=CVE-2009-3766