FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

mail/trojita -- may leak mail contents (not user credentials) over unencrypted connection

Affected packages
trojita < 0.4.1

Details

VuXML ID 36f9ac43-b2ac-11e3-8752-080027ef73ec
Discovery 2014-03-20
Entry 2014-03-23

Jan Kundrát reports:

An SSL stripping vulnerability was discovered in Trojitá, a fast Qt IMAP e-mail client. User's credentials are never leaked, but if a user tries to send an e-mail, the automatic saving into the "sent" or "draft" folders could happen over a plaintext connection even if the user's preferences specify STARTTLS as a requirement.

References

CVE Name CVE-2014-2567
URL http://jkt.flaska.net/blog/Trojita_0_4_1__a_security_update_for_CVE_2014_2567.html