Gentoo Logo

isync: Man-in-the-Middle attack


1.  Gentoo Linux Security Advisory

Version Information

Advisory Reference GLSA 201310-02 / isync
Release Date October 05, 2013
Latest Revision October 05, 2013: 1
Impact low
Exploitable remote
Package Vulnerable versions Unaffected versions Architecture(s)
net-mail/isync < 1.0.6 >= 1.0.6 All supported architectures

Related bugreports: #458420


A vulnerability in isync could allow remote attackers to perform man-in-the-middle attacks.

2.  Impact Information


isync is an IMAP and MailDir mailbox synchronizer.


isync does not properly verify the server’s hostname against the CN field in the SSL certificate.


A remote server could perform man-in-the-middle attacks to disclose passwords or obtain other sensitive information.

3.  Resolution Information


There is no known workaround at this time.


All isync users should upgrade to the latest version:

Code Listing 3.1: Resolution

  # emerge --sync
  # emerge --ask --oneshot --verbose ">=net-mail/isync-1.0.6"

4.  References


Page updated October 05, 2013

Summary: This is a Gentoo Linux Security Advisory

Security Team
Contact Address

Donate to support our development efforts.

Copyright 2001-2015 Gentoo Foundation, Inc. Questions, Comments? Contact us.