CVE-2009-3942

EUVD-2009-3913
Martin Lambers msmtp before 1.4.19, when OpenSSL is used, does not properly handle a '\0' character in a domain name in the (1) subject's Common Name or (2) Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.4 UNKNOWN
NETWORK
LOW
AV:N/AC:L/Au:N/C:N/I:P/A:P
Base Score
CVSS 3.x
EPSS Score
Percentile: 40%
Affected Products (NVD)
VendorProductVersion
martin_lambersmsmtp
𝑥
≤ 1.4.18
martin_lambersmsmtp
0.2.5
martin_lambersmsmtp
0.2.6
martin_lambersmsmtp
0.3.0
martin_lambersmsmtp
0.3.1
martin_lambersmsmtp
0.4.0
martin_lambersmsmtp
0.4.1
martin_lambersmsmtp
0.4.2
martin_lambersmsmtp
0.5.0
martin_lambersmsmtp
0.5.1
martin_lambersmsmtp
0.5.2
martin_lambersmsmtp
0.5.3
martin_lambersmsmtp
0.6.0
martin_lambersmsmtp
0.6.1
martin_lambersmsmtp
0.6.2
martin_lambersmsmtp
0.6.3
martin_lambersmsmtp
0.6.4
martin_lambersmsmtp
0.6.5
martin_lambersmsmtp
0.6.6
martin_lambersmsmtp
0.7.0
martin_lambersmsmtp
0.7.1
martin_lambersmsmtp
0.7.2
martin_lambersmsmtp
1.0.0
martin_lambersmsmtp
1.2.1
martin_lambersmsmtp
1.2.2
martin_lambersmsmtp
1.2.3
martin_lambersmsmtp
1.2.4
martin_lambersmsmtp
1.4.0
martin_lambersmsmtp
1.4.1
martin_lambersmsmtp
1.4.2
martin_lambersmsmtp
1.4.3
martin_lambersmsmtp
1.4.4
martin_lambersmsmtp
1.4.5
martin_lambersmsmtp
1.4.6
martin_lambersmsmtp
1.4.7
martin_lambersmsmtp
1.4.8
martin_lambersmsmtp
1.4.9
martin_lambersmsmtp
1.4.10
martin_lambersmsmtp
1.4.12
martin_lambersmsmtp
1.4.13
martin_lambersmsmtp
1.4.14
martin_lambersmsmtp
1.4.15
martin_lambersmsmtp
1.4.16
martin_lambersmsmtp
1.4.17
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
msmtp
bookworm
1.8.23-1
fixed
bullseye
1.8.11-2.1
fixed
sid
1.8.24-1
fixed
trixie
1.8.24-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
msmtp
dapper
ignored
hardy
ignored
intrepid
ignored
jaunty
ignored
karmic
ignored
lucid
not-affected
maverick
ignored
natty
ignored
oneiric
ignored
precise
not-affected
quantal
ignored
raring
ignored
saucy
ignored
trusty
dne
Common Weakness Enumeration
References
http://lists.opensuse.org/opensuse-security-announce/2010-01/msg00007.html
http://msmtp.sourceforge.net/news.html
http://secunia.com/advisories/37321
http://www.vupen.com/english/advisories/2009/3224
http://lists.opensuse.org/opensuse-security-announce/2010-01/msg00007.html
http://msmtp.sourceforge.net/news.html
http://secunia.com/advisories/37321
http://www.vupen.com/english/advisories/2009/3224